Webmin contains two critical vulnerabilities within the perl codebase. The first, a directory
transversal where you can read arbitrary files, including webmin’s logs. The second vulnerability
consists of an authenticated only open read perl exec code exececution bug as root. To wrap it all
together we can are able to read Webmin’s log file, which contains a cookie, (I personally thought
this part was clever), to go from an unauthenticated webmin, to session hijack the last used
login to webmin, thus using this as leverage to attack the /file/show.cgi application and run
arbitrary code as root.
First we simply grab the session cookie out of webmin’s logfile with the directory transversal
Note: You’ll need to use hex character %01 to subvert the directory transversal filtering.
Next we’ll use the hijacked session to open read on show.cgi with the | character. This is a
nuance of how when opening a file for reading in perl, you can use the pipe to receive the
return of a command instead of an opened file.