![\"\"](\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-07-30-224808_1076x269_scrot-1024x256.png\")
<\/figure>\n\n\n\nRpc.cgi<\/h2>\n\n\n
After the XXE<\/a>, we found another bug in Webmin<\/a>. This time it’s rpc.cgi<\/em><\/a> which is vulnerable. More precisely a call to “unserialise_variable” function is done before than checking if the current user is root, admin or sysadm. As parameter of “unserialise_variable”, there is the content of the HTTP POST request :<\/p>\n\n\n In order to call rpc.cgi<\/em> and trigger the vulnerability we need 2 prerequisites :<\/p>\n Once these two conditions are met we can go further and look around unserialise_variable<\/em> in web-lib-funcs.pl<\/a> :<\/p>\n\n\n If someone POST an OBJECT it will be used directly in the “eval” statement and so… executed… as root. More precisely it’s $cls that will be executed which corresponds to the regexp match.<\/p>\n\n\n The only thing left to do is write our own code and display the result.<\/p>\n\n\n![\"\"](\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-31-110751_885x972_scrot.png\")
Web-lib-funcs.pl<\/h2>\n\n\n
\n
![\"\"](\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-31-112618_949x1358_scrot-716x1024.png\")
Exploit<\/h2>\n\n\n
![\"\"](\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-31-115451_638x484_scrot.png\")
<\/figure>\n\n\n\nResponse from vendor \/ fix<\/h2>\n\n\n
\n
![\"\"](\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/08\/2019-08-26-153120_1504x660_scrot-1024x449.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"