CVE-2019-15642
published 2019-08-26CVE-2019-15642: rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the…
PriorityP183high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.04%
98.4th percentile
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | <= 1.920 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/session_login.cgi
commandOBJECT Socket;print "Content-Type: text/plain\n\n";$cmd=`id`;print "$cmd\n\n";
yara
regex: 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'
- →Monitor POST requests to /rpc.cgi containing the string 'OBJECT Socket' in the body, which is the exploit payload pattern for CVE-2019-15642.
- →Detect the two-step attack sequence: an initial POST to /session_login.cgi for authentication followed by a POST to /rpc.cgi with a crafted object name payload.
- →Flag HTTP responses from /rpc.cgi that contain 'Content-type: text/plain' in the body alongside uid/gid output, indicating successful RCE.
- →Use Shodan/FOFA queries 'title:"Webmin"' or 'title="webmin"' to identify exposed Webmin instances for proactive scanning.
- →The vulnerability is in the unserialise_variable function which makes an eval call on a crafted object name; look for Perl eval execution triggered from rpc.cgi in process/audit logs. ↗
- ·Exploitation requires valid credentials (authenticated RCE); default credential pairs admin/admin and root/root are used in known PoC tooling.
- ·Webmin's own documentation acknowledges RPC grants full server access; access to rpc.cgi should be restricted to trusted users only. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf78-9xpm-m77r: rpc
ghsa_unreviewed·2022-05-24
CVE-2019-15642 [HIGH] CWE-94 GHSA-wf78-9xpm-m77r: rpc
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
VulnCheck
Webmin Webmin Improper Control of Generation of Code ('Code Injection')
vulncheck·2019·CVSS 8.8
CVE-2019-15642 [HIGH] Webmin Webmin Improper Control of Generation of Code ('Code Injection')
Webmin Webmin Improper Control of Generation of Code ('Code Injection')
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Affected: Webmin Webmin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-17&host_type=src&vulnerability=cve-2019-15642; https://dashboard.shadowserver.org/statis
No detection rules found.
Nuclei
Webmin < 1.920 - Authenticated Remote Code Execution
nuclei·CVSS 8.8
CVE-2019-15642 [HIGH] Webmin < 1.920 - Authenticated Remote Code Execution
Webmin < 1.920 - Authenticated Remote Code Execution
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Template:
id: CVE-2019-15642
info:
name: Webmin < 1.920 - Authenticated Remote Code Execution
author: pussycat0x
severity: high
description: |
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any fil
No writeups or analysis indexed.
https://doxfer.webmin.com/Webmin/Webmin_Servers_Indexhttps://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432chttps://www.calypt.com/blog/index.php/authenticated-rce-on-webmin/https://doxfer.webmin.com/Webmin/Webmin_Servers_Indexhttps://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432chttps://www.calypt.com/blog/index.php/authenticated-rce-on-webmin/
2019-08-26
Published
Exploited in the wild