Attacker Value
Very High
(9 users assessed)
Exploitability
Very High
(9 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
37

Webmin password_change.cgi Command Injection

Disclosure Date: August 16, 2019 Last updated February 28, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

15
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Almost 2 years later and this is still found in the wild.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

High Vulnerability

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

0
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

MetaSploit module available:
exploit/linux/http/webmin_backdoor

Description:
This module exploits a backdoor in Webmin versions 1.890 through
1.920. Only the SourceForge downloads were backdoored, but they are
listed as official downloads on the project’s site. Unknown
attacker(s) inserted Perl qx statements into the build server’s
source code on two separate occasions: once in April 2018,
introducing the backdoor in the 1.890 release, and in July 2018,
reintroducing the backdoor in releases 1.900 through 1.920. Only
version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be
enabled.

General Information

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis