Very High
Webmin password_change.cgi Command Injection
Add Reference
Description
URL
Type
Very High
(7 users assessed)Very High
(7 users assessed)Unknown
Unknown
Unknown
Webmin password_change.cgi Command Injection
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.
Note that SourceForge installs are affected, but GitHub checkouts aren’t.
ETA: Metasploit added an exploit module.
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This is bound to have many vulnerable installations that may persist for some time, since webmin tends to be used by novice admins.
What type of attack was this? how this was added to the code for Webmin, not how this results in remote code execution (RCE).
There is more information here on how the attack was carried out: http://www.webmin.com/exploit.html
From the article:
At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release.
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root
.
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
High Vulnerability
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.
General Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).