How To Hack Webmin <= 1.920 Using Metasploit & Remote Code Execution

by Sunny Hoi

UPDATE: The vendor has fixed this vulnerability by releasing version 1.930.

Prior versions are still vulnerable.


Introduction

There was recently a 0-day exploit released publicly by a security researcher for Webmin which is a web-based server management control panel for Linux systems that allows the system administrator to manage their server via a web-based interface.

Webmin permits the sysadmin to modify settings for typical packages quickly, including web servers and databases. Moreover, Webmin allows the management of software packages, users, and groups.

In this tutorial, we are going to show you how a hacker can replicate an unauthenticated remote code execution using this exploit. More significantly, we are going to analyze the exploit via the Metasploit module.

Note that at the time of this article’s publication, the vendor has not fixed this security vulnerability in their product. This is significant as blackhat hackers may take advantage of the vulnerability and exploit it to their benefit.

Bear in mind that the Metasploit Module exploits an arbitrary command execution vulnerability in Webmin version 1.920 (Latest version at the time of the article’s publication.) and earlier versions.

As long as the password change module is on, the unauthenticated may execute arbitrary commands using root privileges.


1. Download The Unauthenticated RCE Metasploit Framework Module

Ensure that you have the module on your Linux system. For your convenience, you might want to use Kali Linux.

The password change module has to be activated and permitted prior to the successful execution of the exploit.

An attacker will know that numerous system administrators make use of this feature since it permits users to update their passwords.

2. Download Webmin 1.920

For reference, we recommend downloading the Webmin 1.920 distribution via the vendor’s official website.

3. Open The password_change.cgi File In The webmin-1.920 Folder

We can see that in the “password_change.cgi” file, the “passwd_mode” value inside the “miniserv.conf” configuration file has to be set to “2” in order for the exploit to work:

4. Confirm that the “passwd_mode” Value In The “miniserv.conf” configuration file is “2”.

5. Ensure that “”Prompt users with expired passwords to enter a new one” is ticked in Webmin Configuration.

Under the “Authentication” section of “Webmin Configuration“, ensure that “Prompt users with expired passwords to enter a new one” is ticked. This will permit the necessary “2” value for the “password_change.cgi” file in “miniserv.conf” file.

Click on the “Save” button to retain the settings. Users may now alter their expired passwords by validating their old passwords.

6. Examine The “password_change.cgi” File For The Security Vulnerability.

Our observation shows that the “password_change.cgi” file transmits the old password to the “encrypt_password” function inside the “acl/acl-lib.pl” file.

Such function will proceed to call another function called “unix_crypt“.

Inside the “password_change.cgi” file, the identical function “unix_crypt” is called once more under the “Validate old password” section:

7. Open Burp Suite & Transmit A Request Using Regular POST Data.

Evidently, the request transmitted using regular POST data has provided us with an error message: “Failed to change password : The current password is incorrect“:

Notably, the “old” parameter contains the security vulnerability.

Your ‘old‘ may likely be something that will be different from your ‘new1‘ and ‘new2‘.

Keep in mind that it makes no difference whether or not the username, old password, or any further information is accurate.

8. Make The “password_change.cgi” File Examine The Information In The “old” Parameter On The Web Server.

Type in a vertical bar (|) along with the ifconfig command in an attempt to execute the command on the webserver. Press ENTER on your keyboard to attempt execution.

We can perceive that our ifconfig command has successfully run on the webserver. We can even see the output displayed.

9. Use MSFvenom To Transmit A Malicious Payload To The Web Server & Obtain Shell Session.

We will deploy the netcat payload. This will work as our test server has netcat.

We can clearly perceive that the shell was accepted. Once we execute the pwd command, we may observe that the payload is executed in the “acl” folder since the function is called.

Conclusion

As we can see, Metasploit is extremely useful for security researchers. A hacker may exploit this vulnerability using Metasploit.

Nonetheless, experienced system administrators may have the user password change function disabled, which would prevent the vulnerability from being exploited in the first place.

Related Posts