LibreNMS 1.46 & Webmin - 1.910 'Package Updates' Remote Code Execution 2019

WebMin - 1.910
Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.

Vulnerability
There is a vulnerability exist in the Package Update module in the Webmin - 1.910 through which an authenticated user with the access to the module is vulnerable to be able to remote code execution. Webmin is used port 10000 for its web interface and uses the system default user for the authentication and if the user is the root user of the machine can give full system access to the attacker and attacker might be able to pivot in the internal network if needed.

Proof of Concept
 

We crawl to the web interface of the Webmin - 1.910 on the port 10000 and we got a login form to access the control interface of the webmin.
 

We downloaded and loaded our Metasploit module for web exploitation. 

Prevention
As for the prevention of the vulnerability, update your webmin app for the latest one which has its vulnerability patched. If the development company doesn’t release any patches, then, you can use SSL only and turn off the HTTP service.


LibreNMS
LibreNMS is an auto discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.

We intend LibreNMS to be a viable project and community that:
encourages contribution,
  • focuses on the needs of its users, and
  • offers a welcoming, friendly environment for everyone.
The Debian Social Contract will be the basis of our priority system, and mutual respect is the basis of our behavior towards others. For more about the culture we're trying to build, please read the Freenode philosophy, including guidelines for running an IRC channel and being a community catalyst.

Vulnerability
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.




We created our web server hosting LibreNMS 1.46 tool on Ubuntu 18.04 Apache server and running on domain librenms.example.com. When we crawl the domain, we got our LibreNMS login page. As the tool has the authentication credentials as ‘admin: password’.

 

We set hosts as target machine IP ‘192.168.133.139’, vhost as our domain ‘librenms.example.com’, lhost as our attacker machine IP for listening ‘192.168.133.145’, username and password as the login credentials for the librenms web interface. When we run the module, we get the reverse shell back of the victim’s machine or server.





Prevention
Update the LibreNMS interface with the latest updates and check for the permissions given to the interface.

References
  1. http://www.webmin.com/
  2. https://www.exploit-db.com/exploits/46984
  3. https://www.librenms.org/
  4. https://github.com/librenms/librenms
  5. https://nvd.nist.gov/vuln/detail/CVE-2018-20434
     

Post a Comment

0 Comments