Hey there, hope you're enjoying oxasploits! Need a secure server setup, code review, vulnerability assessment, or a general technical consultation? You can hire me!
Background
Webmin contains two critical vulnerabilities within the perl codebase. The first, a directory traversal where you can read arbitrary files, including webmin’s logs. The second vulnerability consists of an authenticated only open read perl exec code exececution bug as root. To wrap it all together we can are able to read Webmin’s log file, which contains a cookie, (I personally thought this part was clever), to go from an unauthenticated webmin, to session hijack the last used login to webmin, thus using this as leverage to attack the /file/show.cgi application and run arbitrary code as root.
First we simply grab the session cookie out of webmin’s logfile with the directory transversal ex:
Note: You’ll need to use hex character %01 to subvert the directory transversal filtering. ex:
Next we’ll use the hijacked session to open read on show.cgi with the | character. This is a nuance of how when opening a file for reading in perl, you can use the pipe to receive the return of a command instead of an opened file.