Webmin password_change.cgi Command Injection

Attacker Value

Very High

Webmin password_change.cgi Command Injection

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

wvu-r7 (437)

August 21, 2019 3:12am UTC (5 years ago)•Edited 10 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

busterb (317)

August 20, 2019 6:37pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This is bound to have many vulnerable installations that may persist for some time, since webmin tends to be used by novice admins.

See More &2 repliesSee Less

hack8080 (0) July 08, 2020 2:58pm UTC (4 years ago)•

What type of attack was this? how this was added to the code for Webmin, not how this results in remote code execution (RCE).

busterb (317) July 08, 2020 3:22pm UTC (4 years ago)•Edited 3 years ago

There is more information here on how the attack was carried out: http://www.webmin.com/exploit.html

From the article:

At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release.

ZM-20-20 (5)

January 30, 2021 1:40am UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Easy to weaponize Gives privileged access

Technical Analysis

Almost 2 years later and this is still found in the wild.

bwatters-r7 (197)

August 22, 2019 10:22pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

jrobles-r7 (40)

August 20, 2019 6:02pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

sgonzalez-r7 (8)

August 26, 2019 4:31pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

P1d0f (2)

July 10, 2020 4:11am UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

High

Easy to weaponize Unauthenticated

Technical Analysis

High Vulnerability

69 (2)

February 28, 2020 4:26pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access

Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

KoelhoSec (1)

April 09, 2021 2:48am UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Unauthenticated Vulnerable in default configuration

Technical Analysis

MetaSploit module available:
exploit/linux/http/webmin_backdoor

Description:
This module exploits a backdoor in Webmin versions 1.890 through
1.920. Only the SourceForge downloads were backdoored, but they are
listed as official downloads on the project’s site. Unknown
attacker(s) inserted Perl qx statements into the build server’s
source code on two separate occasions: once in April 2018,
introducing the backdoor in the 1.890 release, and in July 2018,
reintroducing the backdoor in releases 1.900 through 1.920. Only
version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be
enabled.

Metasploit Modules

exploit/linux/http/webmin_backdoor (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb)

Exploited in the Wild

Reported by:

gdft2112

Reported: January 11, 2021 8:47am UTC (3 years ago)

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Threat Feed (https://unit42.paloaltonetworks.com/mirai-variant-v3g4/)

Reported: March 28, 2022 4:45pm UTC (2 years ago) • Edited 1 year ago

References

Canonical

CVE-2019-15107 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107)

Miscellaneous

https://chybeta.github.io/2019/08/19/%E3%80%90CVE-2019-15107%E3%80%91-RCE-in-Webmin-1-920-via-password-change

https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

Rapid7

Very High