Some days ago a new version of Webmin was released in order to mitigate a vulnerability identified as a backdoor (CVE-2019-15107), found in the official versions of the project, which is distributed through Sourceforge.
The discovered backdoor was present in versions from 1.882 to 1.921 inclusive (there was no code with a backdoor in the git repository) and you were allowed to execute arbitrary shell commands on a root-privileged system remotely without authentication.
About Webmin
For those who do not know about Webmin they should know that This is a web-based control panel for controlling Linux systems. Provides an intuitive and easy-to-use interface to manage your server. Recent versions of Webmin can also be installed and run on Windows systems.
With Webmin, you can change common package settings on the fly, including web servers and databases, as well as managing users, groups, and software packages.
Webmin allows the user to see the running processes, as well as the details about the installed packages, manage system log files, edit configuration files of a network interface, add firewall rules, configure time zone and system clock, add printers through CUPS, list installed Perl modules, configure an SSH or Server DHCP, and DNS domain records manager.
Webmin 1.930 arrives to eliminate the backdoor
The new version of Webmin version 1.930 was released to address a remote code execution vulnerability. This vulnerability have publicly available exploit modules, which puts many virtual UNIX management systems at risk.
The security advisory indicates that version 1.890 (CVE-2019-15231) is vulnerable in the default configuration, while the other affected versions require that the option "change user password" is enabled.
About vulnerability
An attacker can send a malicious http request to the password reset request form page to inject code and take over the webmin web application. According to the vulnerability report, an attacker does not need a valid username or password to exploit this flaw.
The existence of this characteristic means that eThis vulnerability has potentially been present in Webmin since July 2018.
An attack requires the presence of an open network port with Webmin and activity in the web interface of the function to change an outdated password (by default it is enabled in the 1.890 builds, but it is disabled in other versions).
The problem was fixed in update 1.930.
The problem was discovered in the password_change.cgi script, in which the unix_crypt function is used to verify the old password entered in the web form, which sends the password received from the user without escaping special characters.
In the git repository, this function is a link on the Crypt :: UnixCrypt module and it is not dangerous, but in the sourceforge file provided with the code, a code is called that directly accesses / etc / shadow, but does so with the shell construct.
To attack, just indicate the symbol «|» in the field with the old password and the following code will run with root privileges on the server.
According to the statement from the Webmin developers, the malicious code was substituting in the result of the compromise of the project infrastructure.
Details have yet to be announced, so it's unclear if the hack was limited to taking control of an account at Sourceforge or if it affected other elements of Webmin's assembly and development infrastructure.
The issue also affected Usermin builds. Currently all boot files are rebuilt from Git.