Webmin 1.840/1.880 Local File Include (CVE-2018-8712)

I wanted to explain my finding from Webmin server that gained CVE-2018-8712. Some argued that it wasn’t an issue, and shouldn’t have been given a CVE, however, I felt it needed to be highlighted due to the nature in which it may look like a restricted user has limited access.

Webmin 1.840 – 1.880 – Unrestricted Arbitrary File Access using Local File Include

That’s quite the mouthful, and took me a while to get to that point. However, I won’t bore anyone with the details on how I thought it was a path traversal issue.

I have Webmin running on an Ubuntu server. The web application portal is served from the default port of 10000. All good. I have two users of the system. The admin and a limited user called Paul.

admin:x:1001:100:Webmin Admin:/home/admin:

paul:x:1002:1002::/home/paul

So far so good.

The user ‘Paul’ cannot load files from the root directory or any other protected files such as /etc/shadow.

As you can see, some files are restricted on the server to the user ‘Paul’ – If we switch over to Webmin, we will add the user ‘Paul’ and only allow access to see the system log files, via a restricted group.

If we navigate to :

Webmin > Webmin Users > Webmin Groups

Step through the process to ‘Convert Unix To Wemin Users’ > select the user ‘Paul’ and step through the wizard.

In this example, the group created is labelled ‘lvl1’

Dropping down the selection ‘Available Webmin modules’ will reveal the list of modules that you assume you are only giving the user ‘Paul’ access to on the server.

We can see that only the ‘System Logs’ tick box is selected out of the available settings. There are more below this screenshot, however, trust that it’s only ‘System Logs’ that are selected. Hitting ‘Save’ in this screen will save your current selection and reload the groups screen. From a System Administrator perspective, I’d assume that I’ve only given access to system logs for the user ‘Paul’

You alert the user that they can now log in and start working on looking at all those juicy logs, and go about your day fighting network crime.

user ‘Paul’ logs in and is presented with a seriously limited view of the available Webmin modules:

All going well so far according to the System Administrator and the user. The user clicks on the System Logs link and is presented with a window of available logs to view.

The user clicks on the ‘View’ button and behold! is able to view the log.

Still at this point everything seems to be going the way the System Administrator is hoping. The user is restricted to only seeing system logs and can view them. Job done and away they go for the weekend. The keen eyed user sets up a intercepting proxy such as Burpsuite, and starts to look at the the HTTP requests in the background.

An interesting GET request using the ‘?file=’ parameter is being called in the background every time we load a file.

GET /syslog/save_log.cgi?oidx=&omod=&file=%2Fvar%2Flog%2Fauth.log&extra=&view=1&lines=20&idx=%2Fvar%2Flog%2Fapache2%2Ferror.log&filter= HTTP/1.1

By just changing the file that is called, we can load any file from the server that we want. Including ‘/etc/shadow’ as shown below:

(I don’t care that you might be able to crack the password. It’s a test account and never used anywhere else.)

For the Advisory, I tried to make the URL as short as possible just to see if it would still load the file, and it can be shortened to the URL below:

GET /syslog/save_log.cgi?view=1&file=/etc/shadow HTTP/1.1

It was at this point where I sat down and realised that this shouldn’t be allowed. The user ‘Paul’ can’t see these files when logged into the server so how is it possible? I contacted the developer Jamie, to get further clarification and he had a conversation with me over a few days where I was still able to make the LFI work despite trying to restrict the user through Webmin. Only one setting in Webmin prohibits loading arbitrary files as log files and you can find it below:

Webmin > Webmin Users > Webmin Groups > Select Group  > Available Webmin Modules > System Logs

  •       Can view any files as a log? – ‘No’

If this setting was configured to prohibit any file as a log, this issue would not exist. Nothing prevents the loading of arbitrary files in Webmin until you set the above setting to ‘No’

Referer Protection

As a little caveat, Webmin comes configured with a default setting that basically prevents you from modifying the URL. That’s the easy way of putting it. In the ‘/etc/webmin/config’ file is a setting ‘referers_none=1’

if you try to load the ‘/etc/shadow’ file with the setting on, you get a Security Warning about people trying to launch XSS.

Oh no, my time has been wasted!! Or has it?

A little digging into the Webmin data showed me that all I had to do was add a Referer HTTP Header and I was golden. What better header to add than the URL that is called before we load the file.

Referer: https://192.168.75.150:10000/index.cgi?xhr-manage-config=1&load=1

Accessing the file again with the Referer header added gives us access to the ‘/etc/shadow’ file once again as the restricted user ‘Paul’

Summary

This was such a good experience to go through. Not only finding a flaw in open source software, but helping to fix it was also important. Gaining a CVE for it was icing on the cake. It was a great exercise in stepping through various issues to prove that an issue exists despite small changes to settings that may prevent the loading of files.

Today I learned that CVSS scores have started to surface for this vulnerability and that Tenable have also included it as a ‘High’ in Nessus.

IBM X-Force – CVSSv3 score: 7.5

Tenable Nessus – CVSSv3 score: 8.1