Improper Access Control to Remote Code Execution in webmin/webmin
Reported on
Feb 17th 2022
Description
In Webmin v1.984, affecting File Manager module, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as download file from remote URL and change file permission (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager.
Proof of Concept
Affected endpoint:
1 http://{HOST}/extensions/file-manager/http_download.cgi
2 http://{HOST}/extensions/file-manager/chmod.cgi
~
Image: Safe User access rights
Request file: Download file from remote URL , pwd: 9ngpPzaJ9G
Request file: Change file permission (chmod) , pwd: npSVrRhr01
Impact
This vulnerability is capable of modifying the OS file system and executing OS Command with running application privilege.
SECURITY.md
3 months ago
Can you post the contents of the file /etc/webmin/filemin/safeuser.acl ?
@webmin, cat /usr/share/webmin/filemin/safeacl
allowed_paths=$HOME work_as_root=0 work_as_user=0
no such file in /etc/webmin/filemin/safeuser.acl . Only have config file
Odd, looks like this user wasn't setup with limited permissions. How did you create this user originally?
create a low priv user via "System > Users and Groups" with Group Membership as user. Then, create a new safe user in "Webmin > Webmin Users" with no access to any Tools module. You can refer to safe user access right here image
$ id safeuser
uid=1001(safeuser) gid=100(users) groups=100(users)
/etc/webmin/webmin.acl
root: acl adsl-client ajaxterm apache at backup-config bacula-backup bandwidth bind8 change-user cluster-copy cluster-cron cluster-passwd cluster-shell cluster-software cluster-useradmin cluster-usermin cluster-webmin cpan cron custom dfsadmin dhcpd dovecot exim exports fail2ban fdisk fetchmail filemin filter firewall firewall6 firewalld fsdump grub heartbeat htaccess-htpasswd idmapd inetd init inittab ipfilter ipfw ipsec iscsi-client iscsi-server iscsi-target iscsi-tgtd jabber krb5 ldap-client ldap-server ldap-useradmin logrotate lpadmin lvm mailboxes mailcap man mon mount mysql net nis openslp package-updates pam pap passwd phpini postfix postgresql ppp-client pptp-client pptp-server proc procmail proftpd qmailadmin quota raid samba sarg sendmail servers shell shorewall shorewall6 smart-status smf software spam squid sshd status stunnel syslog-ng syslog system-status tcpwrappers telnet time tunnel updown useradmin usermin vgetty webalizer webmin webmincron webminlog wuftpd xinetd
safeuser:
webminadmin: backup-config change-user webmincron usermin webminlog webmin servers acl bacula-backup init passwd quota mount fsdump ldap-client ldap-useradmin logrotate mailcap mon pam proc at cron package-updates software man syslog syslog-ng system-status useradmin apache bind8 dhcpd dovecot exim fetchmail jabber ldap-server mysql openslp postfix postgresql proftpd procmail qmailadmin mailboxes sshd samba sendmail spam squid sarg wuftpd webalizer adsl-client bandwidth fail2ban firewalld ipsec krb5 firewall firewall6 exports nis net xinetd inetd pap ppp-client pptp-client pptp-server stunnel shorewall shorewall6 tcpwrappers idmapd filter grub raid lvm fdisk lpadmin smart-status time vgetty iscsi-client iscsi-server iscsi-tgtd iscsi-target cluster-passwd cluster-copy cluster-cron cluster-shell cluster-software cluster-usermin cluster-useradmin cluster-webmin heartbeat shell custom filemin tunnel phpini cpan htaccess-htpasswd telnet status ajaxterm updown
/etc/webmin/safeuser.acl
negative=0
_safe=1
rpc=0
noconfig=1
root=
feedback=0
fileunix=