CVE-2022-0824 Improper Access Control vulnerability in File Manager

This exploit takes advantage of the post-auth Improper Access Control vulnerability in File Manager. This exploit could be done by any less privileged authenticated attacker. It will download a .cgi file remotely from an attacker-controlled server and modify its permission to be a world-executables file. Once this is done, it will execute the .cgi file to establish a reverse connection to the attacker-controller server with root privileges.

Version affect:

Webmin 1.984 and below

POC public in the wild:

Affected endpoint:

http://{HOST}/extensions/file-manager/http_download.cgi

http://{HOST}/extensions/file-manager/chmod.cgi

Mitigation:

Upgrade webmin to last version

Restrict access webmin use VPN or access server