Attacker Value
Very High
0

Webmin password_change.cgi Command Injection

Disclosure Date: August 16, 2019 Last updated February 28, 2020

Exploitability

(6 users assessed) Very High
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

9
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is bound to have many vulnerable installations that may persist for some time, since webmin tends to be used by novice admins.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

General Information

Additional Info

Technical Analysis