News

Webmin code hid backdoor for more than a year

Webmin, a popular system administration solution for Unix systems (such as Linux, FreeBSD, or OpenBSD), discovered a backdoor that has been hiding in a code for more than a year.

At the same time, problematic versions from 1.882 to 1.921 were available for download through the official website and Sourceforge for more than a year. GitHub did participated in resolving the problem.

It should be noted that according to official developers, Webmin has more than 1,000,000 installations, and Shodan discovers that more than 215,000 of them are available via the Internet.

The backdoor allows attackers to execute arbitrary commands with root privileges on a vulnerable machine with installed Webmin, and after that the host can be used to attack systems controlled via Webmin.

The first problem was noticed by the Turkish information security specialist Ozkan Mustafa Akkuş, and he mistook it for a normal, albeit very dangerous, bug in the Webmin code.

The researcher spoke about his finding at the recent DEFCON conference in Las Vegas. The error was assigned the identifier CVE-2019-15107, and Akkush warned that the vulnerability allowed an unauthenticated attacker to execute code on servers running Webmin’s.

Ozkan Mustafa Akkuş
Ozkan Mustafa Akkuş

However, after Akkush’s report on DEFCON, other specialists became interested in the problem, and it turned out that the researcher did not find an ordinary bug at all. So, soon one of the Webmin developers confirmed that in fact this “vulnerability” was an embedded malicious code.

“We pushed a new Webmin and Usermin release the same day we heard about it. We’re doing the best we can. It took us a while to figure out what was going on, as well. The bug is not in git, it was malicious code injected into compromised build infrastructure”, — reported Webmin developer with pseudonym SwellJoe.

What exactly is meant by this phrase, the developers do not explain. It could be about compromising the developer’s machine on which the code was created, or compromising the SourceForge account, which the hacker could use to download and distribute a malicious version of Webmin.

At the same time, representatives of Sourceforce have already stated that the attackers did not use any vulnerabilities in their platform, and work with the Webmin account was carried out only by the project administrators themselves, from their legitimate accounts.

According to Akkush’s research, the vulnerability he discovered was related to the Webmin feature, which allows administrators to adjust the password expiration policies for accounts. So, if this function is enabled and the functionality for changing outdated passwords is active, an attacker can use this to take control of Webmin. Moreover, to carry out the attack, it is enough to simply add the “|” symbol in the HTTP request sent to the Webmin server. The code after this symbol will be executed on the server with root privileges.

Read also: Researchers discover dangerous DoS vulnerabilities in HTTP / 2 implementation

The good news is that this functionality is not enabled by default in many versions. However, there are bad news: it seems that the attacker responsible for compromising the Webmin infrastructure tried to enable it by default for all users in version 1.890. This change led to the appearance of errors for many users, after which the developers returned the function to the disabled state by default.

As mentioned above, the backdoor was found in versions from 1.882 to 1.921, distributed through the official website and Sourceforge. On August 18, 2019, Webmin developers introduced version 1.930, which removes the backdoor. All users are encouraged to upgrade as soon as possible. Those who work with versions from 1.900 to 1.920 can also open /etc/webmin/miniserv.conf, delete the line passwd_mode = line, and then run / etc / webmin / restart.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button