CVE-2020-35606
published 2020-12-21CVE-2020-35606: Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
28.05%
97.9th percentile
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | <= 1.962 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherredir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C<payload>%26%26↗
- →Detect POST requests to /package-updates/update.cgi containing URL-encoded newline/formfeed characters (%0A or %0C) in the 'u' parameter, which is the exploit injection vector. ↗
- →Detect POST body to /package-updates/update.cgi containing %0A%7C (URL-encoded newline + pipe) followed by %26%26 (double ampersand), indicating command injection bypass. ↗
- →Detect login attempts to /session_login.cgi with the cookie 'testing=1', a static value required by the exploit to bypass the 'Error - No cookies' check. ↗
- →Detect the base64-encoded bash reverse shell command pattern in POST bodies: {echo,<base64>}|{base64,-d}|{bash,-i}, used as the exploit payload delivery mechanism. ↗
- →Monitor Webmin traffic on port 10000 for sequential requests: POST /session_login.cgi → GET /sysinfo.cgi → GET /package-updates/ → POST /package-updates/update.cgi, which matches the exploit's attack chain. ↗
- →Flag GET requests to /proc/index_tree.cgi with a Referer header of /sysinfo.cgi?xnavigation=1, which is a pre-exploitation step unique to this Metasploit module. ↗
- ·The exploit requires the authenticated user to have explicit authorization to the 'Package Updates' module in Webmin; it is not a pre-auth vulnerability. ↗
- ·The Metasploit module defaults to non-SSL (HTTP) on port 10000; detections should also cover HTTPS (SSL=true) variants on the same port. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/49318https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.htmlhttps://www.webmin.com/download.htmlhttp://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/49318https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.htmlhttps://www.webmin.com/download.html
2020-12-21
Published