Improper Access Control to Remote Code Execution in webmin/webmin

Valid

Reported on

Feb 17th 2022


Description

In Webmin v1.984, affecting File Manager module, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as download file from remote URL and change file permission (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager.

Proof of Concept

Affected endpoint:

1 http://{HOST}/extensions/file-manager/http_download.cgi

2 http://{HOST}/extensions/file-manager/chmod.cgi

~

Image: Safe User access rights

Image: Safe User profile

Request file: Download file from remote URL , pwd: 9ngpPzaJ9G

Request file: Change file permission (chmod) , pwd: npSVrRhr01

Impact

This vulnerability is capable of modifying the OS file system and executing OS Command with running application privilege.

We are processing your report and will contact the webmin team within 24 hours. 4 months ago
Faisal Fs modified the report
4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the webmin team and are waiting to hear back 4 months ago
Faisal Fs modified the report
4 months ago
webmin
4 months ago

Maintainer


Can you post the contents of the file /etc/webmin/filemin/safeuser.acl ?

Faisal Fs
4 months ago

Researcher


@webmin, cat /usr/share/webmin/filemin/safeacl

allowed_paths=$HOME work_as_root=0 work_as_user=0

Faisal Fs
4 months ago

Researcher


no such file in /etc/webmin/filemin/safeuser.acl . Only have config file

webmin
4 months ago

Maintainer


Odd, looks like this user wasn't setup with limited permissions. How did you create this user originally?

Faisal Fs
4 months ago

Researcher


create a low priv user via "System > Users and Groups" with Group Membership as user. Then, create a new safe user in "Webmin > Webmin Users" with no access to any Tools module. You can refer to safe user access right here image

$ id safeuser uid=1001(safeuser) gid=100(users) groups=100(users)

Faisal Fs
4 months ago

Researcher


/etc/webmin/webmin.acl

root: acl adsl-client ajaxterm apache at backup-config bacula-backup bandwidth bind8 change-user cluster-copy cluster-cron cluster-passwd cluster-shell cluster-software cluster-useradmin cluster-usermin cluster-webmin cpan cron custom dfsadmin dhcpd dovecot exim exports fail2ban fdisk fetchmail filemin filter firewall firewall6 firewalld fsdump grub heartbeat htaccess-htpasswd idmapd inetd init inittab ipfilter ipfw ipsec iscsi-client iscsi-server iscsi-target iscsi-tgtd jabber krb5 ldap-client ldap-server ldap-useradmin logrotate lpadmin lvm mailboxes mailcap man mon mount mysql net nis openslp package-updates pam pap passwd phpini postfix postgresql ppp-client pptp-client pptp-server proc procmail proftpd qmailadmin quota raid samba sarg sendmail servers shell shorewall shorewall6 smart-status smf software spam squid sshd status stunnel syslog-ng syslog system-status tcpwrappers telnet time tunnel updown useradmin usermin vgetty webalizer webmin webmincron webminlog wuftpd xinetd
safeuser: 
webminadmin: backup-config change-user webmincron usermin webminlog webmin servers acl bacula-backup init passwd quota mount fsdump ldap-client ldap-useradmin logrotate mailcap mon pam proc at cron package-updates software man syslog syslog-ng system-status useradmin apache bind8 dhcpd dovecot exim fetchmail jabber ldap-server mysql openslp postfix postgresql proftpd procmail qmailadmin mailboxes sshd samba sendmail spam squid sarg wuftpd webalizer adsl-client bandwidth fail2ban firewalld ipsec krb5 firewall firewall6 exports nis net xinetd inetd pap ppp-client pptp-client pptp-server stunnel shorewall shorewall6 tcpwrappers idmapd filter grub raid lvm fdisk lpadmin smart-status time vgetty iscsi-client iscsi-server iscsi-tgtd iscsi-target cluster-passwd cluster-copy cluster-cron cluster-shell cluster-software cluster-usermin cluster-useradmin cluster-webmin heartbeat shell custom filemin tunnel phpini cpan htaccess-htpasswd telnet status ajaxterm updown

/etc/webmin/safeuser.acl

negative=0
_safe=1
rpc=0
noconfig=1
root=
feedback=0
fileunix=
webmin validated this vulnerability 4 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
webmin confirmed that a fix has been merged on 39ea46 4 months ago
The fix bounty has been dropped
to join this conversation