Webmin, a popular system administration solution for Unix systems (such as Linux, FreeBSD, or OpenBSD), discovered a backdoor that has been hiding in a code for more than a year.
At the same time, problematic versions from 1.882 to 1.921 were available for download through the official website and Sourceforge for more than a year. GitHub did participated in resolving the problem.It should be noted that according to official developers, Webmin has more than 1,000,000 installations, and Shodan discovers that more than 215,000 of them are available via the Internet.
The backdoor allows attackers to execute arbitrary commands with root privileges on a vulnerable machine with installed Webmin, and after that the host can be used to attack systems controlled via Webmin.
The first problem was noticed by the Turkish information security specialist Ozkan Mustafa Akkuş, and he mistook it for a normal, albeit very dangerous, bug in the Webmin code.
The researcher spoke about his finding at the recent DEFCON conference in Las Vegas. The error was assigned the identifier CVE-2019-15107, and Akkush warned that the vulnerability allowed an unauthenticated attacker to execute code on servers running Webmin’s.
However, after Akkush’s report on DEFCON, other specialists became interested in the problem, and it turned out that the researcher did not find an ordinary bug at all. So, soon one of the Webmin developers confirmed that in fact this “vulnerability” was an embedded malicious code.
“We pushed a new Webmin and Usermin release the same day we heard about it. We’re doing the best we can. It took us a while to figure out what was going on, as well. The bug is not in git, it was malicious code injected into compromised build infrastructure”, — reported Webmin developer with pseudonym SwellJoe.
What exactly is meant by this phrase, the developers do not explain. It could be about compromising the developer’s machine on which the code was created, or compromising the SourceForge account, which the hacker could use to download and distribute a malicious version of Webmin.
At the same time, representatives of Sourceforce have already stated that the attackers did not use any vulnerabilities in their platform, and work with the Webmin account was carried out only by the project administrators themselves, from their legitimate accounts.
According to Akkush’s research, the vulnerability he discovered was related to the Webmin feature, which allows administrators to adjust the password expiration policies for accounts. So, if this function is enabled and the functionality for changing outdated passwords is active, an attacker can use this to take control of Webmin. Moreover, to carry out the attack, it is enough to simply add the “|” symbol in the HTTP request sent to the Webmin server. The code after this symbol will be executed on the server with root privileges.
Read also: Researchers discover dangerous DoS vulnerabilities in HTTP / 2 implementation
The good news is that this functionality is not enabled by default in many versions. However, there are bad news: it seems that the attacker responsible for compromising the Webmin infrastructure tried to enable it by default for all users in version 1.890. This change led to the appearance of errors for many users, after which the developers returned the function to the disabled state by default.