Metasploit exploit available for webmin 1900!

Please look into this asap !


Yup, Jamie has already reviewed that :slight_smile:

His comment about that was:

“I already looked at this, and it’s not an exploit at all - for it to work, the attacker already has to have a webmin login with permissions to edit any file on the system, which means they are already root!”

Any user authorized to the “Java file manager”
and “Upload and Download” fields, to execute arbitrary commands with root privileges.
In addition, “Running Processes” field must be authorized to discover the directory to be uploaded.
A vulnerable file can be printed on the original files of the Webmin application.
The vulberable file we are uploading should be integrated with the application.
Therefore, a “.cgi” file with the vulnerability belong to webmin application should be used.
The module has been tested successfully with Webmin 1900 over Debian 4.9.18.

Any user authorized to the “Java file manager”
and “Upload and Download” fields

is this then the case the “any user” from above already has/is root?

If you’re worried about it, disable that module. It is long deprecated, anyway, and has been superseded by the new File Manager. But, as I understand it, you would have to grant users non-default permissions (basically giving them root access) in order for this to work. So…don’t do that. That advice applies to almost everything in Webmin; it is an administrative tool intended to assist system administrators in their work, so it is possible to grant users root-level access in many places. So, don’t grant root-level access to untrusted users.

I’ll ask Jamie if we can just remove that module; not because of this, as I don’t think it’s particularly concerning, but just because Java applets aren’t very user-friendly. Shipping a Java applet in 2019 is just not sustainable. Browsers make it very hard to run Java applets (and with good reason, given the history of them). And, we’ve had a better browser-native file manager in Webmin core for years now.

Joe thanks for info.

No only asking to be sure not missing info’s, we don’t use that part ourself