Attacker Value
Very High
(9 users assessed)
Exploitability
Very High
(9 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
23

Webmin password_change.cgi Command Injection

Disclosure Date: August 16, 2019 Last updated February 28, 2020
CVE-2019-15107
Exploited in the Wild
Reported by gdft2112
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

15
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

Log in to Add Reply
4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeGives privileged access
Technical Analysis

Almost 2 years later and this is still found in the wild.

Log in to Add Reply
3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Easy to weaponizeUnauthenticated
Technical Analysis

High Vulnerability

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged access
Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

Log in to Add Reply
0
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
UnauthenticatedVulnerable in default configuration
Technical Analysis

MetaSploit module available:
exploit/linux/http/webmin_backdoor

Description:
This module exploits a backdoor in Webmin versions 1.890 through
1.920. Only the SourceForge downloads were backdoored, but they are
listed as official downloads on the project’s site. Unknown
attacker(s) inserted Perl qx statements into the build server’s
source code on two separate occasions: once in April 2018,
introducing the backdoor in the 1.890 release, and in July 2018,
reintroducing the backdoor in releases 1.900 through 1.920. Only
version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be
enabled.

Log in to Add Reply

General Information

Offensive Application
remote
Utility Class
rce
Ports
10000
OS
Unknown
Vulnerable Versions
Webmin <= v1.920
Prerequisites
Unknown
Discovered By
Özkan Mustafa Akkuş
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Exploited in the Wild

Reported by:
Reported: January 11, 2021 8:47am UTC (3 months ago)

Additional Info

Authenticated
Never
Exploitable
Always
Reliability
Very Strong
Stability
Very Strong
Available Mitigations
Very Strong
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis