cbcvebase.
CVE-2020-35606
published 2020-12-21

CVE-2020-35606: Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
28.05%
97.9th percentile
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.

Affected

1 ranges
VendorProductVersion rangeFixed in
webminwebmin<= 1.962

Detection & IOCsextracted from sources · hover to see the quote

url/session_login.cgi
url/package-updates/update.cgi
cookietesting=1
cookiesid=<session_id>
port10000
commandbash -c "{echo,<base64payload>}|{base64,-d}|{bash,-i}"
otherredir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C<payload>%26%26
  • Detect POST requests to /package-updates/update.cgi containing URL-encoded newline/formfeed characters (%0A or %0C) in the 'u' parameter, which is the exploit injection vector.
  • Detect POST body to /package-updates/update.cgi containing %0A%7C (URL-encoded newline + pipe) followed by %26%26 (double ampersand), indicating command injection bypass.
  • Detect login attempts to /session_login.cgi with the cookie 'testing=1', a static value required by the exploit to bypass the 'Error - No cookies' check.
  • Detect the base64-encoded bash reverse shell command pattern in POST bodies: {echo,<base64>}|{base64,-d}|{bash,-i}, used as the exploit payload delivery mechanism.
  • Monitor Webmin traffic on port 10000 for sequential requests: POST /session_login.cgi → GET /sysinfo.cgi → GET /package-updates/ → POST /package-updates/update.cgi, which matches the exploit's attack chain.
  • Flag GET requests to /proc/index_tree.cgi with a Referer header of /sysinfo.cgi?xnavigation=1, which is a pre-exploitation step unique to this Metasploit module.
  • ·The exploit requires the authenticated user to have explicit authorization to the 'Package Updates' module in Webmin; it is not a pre-auth vulnerability.
  • ·The Metasploit module defaults to non-SSL (HTTP) on port 10000; detections should also cover HTTPS (SSL=true) variants on the same port.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.