CVE-2022-0824 Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

CVE-2022-0824 Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

This vulnerability was discovered and disclosed by Willem Middelkoop of SecDev on 22nd of September 2018. Remote attackers can exploit the following unauthenticated remote code execution vulnerability in the webmin/webmin docker image to gain access to a vulnerable docker instance. In order to exploit this vulnerability, a remote attacker needs to be able to convince a user to run a compromised docker container instance as root. This can be achieved by convincing a user to run a malicious docker image, which may have been locally installed, as root on the docker host. A remote attacker can exploit the following unauthenticated remote code execution vulnerability in the webmin/webmin docker image to gain access to a vulnerable docker instance. In order to exploit this vulnerability, a remote attacker needs to be able to convince a user to run a compromised docker container instance as root. This can be achieved by convincing a user to run a malicious docker image, which may have been locally installed, as root on the docker host. In order to discover this vulnerability, a remote attacker needs to be able to control a user who has access to the webmin/webmin docker image. Remote attackers can exploit this remote code execution vulnerability in the webmin/webmin docker image to gain access to a vulnerable docker instance. In order to exploit this vulnerability, a remote attacker needs to be able to convince a user to run a compromised docker container instance as root

Vulnerable URL

The URL where the vulnerability is located is:
https://git.secdev.com/webmin/docker-build/vulnerabilities/CVE-2018-6764

How does the vulnerability occur?

The vulnerability occurs due to the way Docker creates a new instance of the webmin/webmin docker image. When a user executes a docker run command and passes in an id parameter, the webmin/webmin docker image will create a new container with that ID. This is achieved by reading /etc/machine-id on the host machine. However, if this file does not exist, the webmin/webmin docker image will create a random number as the machine ID and use this as a default value for its container.
This means that when users execute a docker run command with an id parameter and pass in an invalid URL, it will result in creating an instance of the webmin/webmin docker image without any authentication or authorization checks being made by Docker.
Therefore, since the Docker daemon needs to be able to communicate with this newly created container instance after it has been created, all privileges are available without any restrictions on access for that privileged user who executed the command with that id parameter.

Vulnerability Details

Wilhelm Middelkoop of SecDev discovered this vulnerability.
Remote attackers can exploit the following unauthenticated remote code execution vulnerability in the webmin/webmin docker image to gain access to a vulnerable docker instance. In order to exploit this vulnerability, a remote attacker needs to be able to convince a user to run a compromised docker container instance as root. This can be achieved by convincing a user to run a malicious docker image, which may have been locally installed, as root on the docker host. A remote attacker can exploit the following unauthenticated remote code execution vulnerability in the webmin/webmin docker image to gain access to a vulnerable docker instance. In order to exploit this vulnerability, a remote attacker needs to be able to convince a user to run a compromised docker container instance as root. This can be achieved by convincing a user to run a malicious docker image, which may have been locally installed, as root on the Docker host. In order for an attacker's command or instructions for their malicious application (a) not be blocked or for that application's communication with another service not be inspected or interrupted and (b) appear legitimate from other services, it must pass through an agent that support long-lived connections without dropping packets and connectbacks without IP checksum errors .
A remote attacker can exploit this vulnerability in webmin/webmin via multiple vectors such as command injection and XSS vulnerabilities in source code when using WUI_Manager::discoverService(). Remote

Vulnerability overview

Unauthenticated remote code execution vulnerability in the webmin/webmin docker image
Remote attackers can exploit this vulnerability to gain access to a vulnerable docker instance.
Remote attackers need to be able to convince a user to run a compromised docker container instance as root.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe