Attacker Value

Very High

Webmin password_change.cgi Command Injection

Disclosure Date: August 16, 2019 • Last updated February 28, 2020

CVE-2019-15107

Exploitability

(7 users assessed) Very High

Attack Vector

Unknown

Privileges Required

Unknown

User Interaction

Unknown

Easy to weaponize

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

wvu-r7 (156)

August 21, 2019 3:12am UTC (11 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

busterb (296)

August 20, 2019 6:37pm UTC (11 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This is bound to have many vulnerable installations that may persist for some time, since webmin tends to be used by novice admins.

See More &2 repliesSee Less

hack8080 (0) July 08, 2020 2:58pm UTC (3 weeks ago)•

What type of attack was this? how this was added to the code for Webmin, not how this results in remote code execution (RCE).

busterb (296) July 08, 2020 3:22pm UTC (3 weeks ago)

There is more information here on how the attack was carried out: http://www.webmin.com/exploit.html

From the article:

At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release.

bwatters-r7 (83)

August 22, 2019 10:22pm UTC (11 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

sgonzalez-r7 (8)

August 26, 2019 4:31pm UTC (11 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

jrobles-r7 (39)

August 20, 2019 6:02pm UTC (11 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

69 (2)

February 28, 2020 4:26pm UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Gives privileged access Easy to weaponize

Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

P1d0f (1)

July 10, 2020 4:11am UTC (3 weeks ago)

Ratings

Attacker Value

Very High

Exploitability

High

Easy to weaponize Unauthenticated

Technical Analysis

High Vulnerability

References

https://chybeta.github.io/2019/08/19/%E3%80%90CVE-2019-15107%E3%80%91-RCE-in-Webmin-1-920-via-password-change/
https://nvd.nist.gov/vuln/detail/CVE-2019-15107
https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

Exploits

https://www.exploit-db.com/exploits/47230

Rapid7

Very High