Webmin show.cgi Remote Command Execution

November 20, 2012

Webmin is a web-based system configuration tool for Unix-like systems, and the recent versions can also be installed and run on Windows. It can be used to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control open source apps, such as the Apache HTTP Server, PHP or MySQL. Webmin is largely based on Perl, running as its own process and web server. It defaults to TCP port 10000 for communicating, and can be configured to use SSL if OpenSSL is installed with additional required Perl Modules.

Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server can be accessed through Hypertext Transfer Protocol (HTTP) protocol on default port 10000. HTTP is a request/response protocol described in RFC documents. A typical HTTP session is:

 Client request   GET /index.html HTTP/1.1   Host: www.example.com  Server response   HTTP/1.1 200 OK   Date: Mon, 23 May 2005 22:38:34 GMT   Server: Apache/ (Unix) (Red-Hat/Linux)   Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT   Etag: "3f80f-1b6-3e1cb03b"   Accept-Ranges:  none   Content-Length: 438   Connection: close   Content-Type: text/html; charset=UTF-8 

According to the protocol, the client request can be supplied with multiple variables, for example:

   GET /index.html?var1=value1&var2=value2 HTTP/1.1   Host: www.example.com 

File Manager module is one of the Webmin modules. It is responsible for viewing, editing and changing permissions on files and directories on a system through a Windowslike file manager interface. For example, the following client request can be used to view files on the system:

   GET /file/show.cgi HTTP/1.1   Host: www.example.com 

A command-injection vulnerability exists in Webmin File Manager Module. The vulnerability is due to insufficient input validation of the user-supplied variables in requests sent to /file/show.cgi. A remote, authenticated attacker with access to File Manager module could exploit this vulnerability to execute arbitrary commands on the target machine in the security context of the vulnerable application, which is root privilege.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attacks:

  • 8836 Webmin show.cgi Remote Command Execution
  • 9258 Webmin show.cgi Remote Command Execution 2

This vulnerability has been referred by CVE as CVE-2012-2982