CVE-2019-9624
published 2019-03-07CVE-2019-9624: Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted…
PriorityP264high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.69%
97.5th percentile
Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /updown/upload.cgi containing multipart/form-data with a .cgi file upload — a strong indicator of CVE-2019-9624 exploitation. ↗
- →Alert on HTTP requests to /file/show.cgi where the URI path contains pipe characters (|), indicating command injection via path traversal. ↗
- →Flag Webmin traffic on port 10000 where a POST to /session_login.cgi is followed by access to /proc/index_tree.cgi and then /updown/upload.cgi within the same session — this sequence matches the full exploit chain. ↗
- →Inspect multipart upload bodies to /updown/upload.cgi for embedded Perl CGI content (e.g., references to miniserv.pl paths), indicating overwrite of a legitimate Webmin CGI file. ↗
- →Detect the Referer header value /updown/?xnavigation=1 on POST requests to /updown/upload.cgi, which is hardcoded in the Metasploit module. ↗
- ·Exploitation requires the authenticated user to have both 'Java file manager' and 'Upload and Download' privileges; accounts without these module authorizations are not directly exploitable via this vector. ↗
- ·The exploit's directory-discovery step relies on the 'Running Processes' (proc) privilege being granted; without it, the module falls back to guessing a default installation path (GUESSUPLOAD option). ↗
- ·The Metasploit module defaults to SSL (HTTPS) on port 10000; detections scoped only to plaintext HTTP on that port may miss the majority of real-world exploitation attempts. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Webmin 1.900 - Remote Command Execution (Metasploit)
exploitdb·2019-01-18
CVE-2019-9624 Webmin 1.900 - Remote Command Execution (Metasploit)
Webmin 1.900 - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class MetasploitModule 'Webmin 1.900 - Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.900 and lower versions. Any user authorized to the "Java file manager"
and "Upload and Download" fields, to execute arbitrary commands with root privileges.
In addition, "Running Processes" field must be authorized to discover the directory to be uploaded.
A vulnerable file can be printed on the original files of the Webmin application.
The vulberable file we are uploading should be integrated with th
Metasploit
Webmin Upload Authenticated RCE
metasploit
Webmin Upload Authenticated RCE
Webmin Upload Authenticated RCE
This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900 on Ubuntu v18.04. Using GUESSUPLOAD attempts to use a default installation path in order to trigger the exploit.
No writeups or analysis indexed.
http://www.rapid7.com/db/modules/exploit/unix/webapp/webmin_upload_exechttps://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46201http://www.rapid7.com/db/modules/exploit/unix/webapp/webmin_upload_exechttps://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46201
2019-03-07
Published