Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project’s maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers.
Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructure—that surprisingly persisted into various releases of Webmin (1.882 through 1.921) and eventually remained hidden for over a year.
With over 3 million downloads per year, Webmin is the world’s most popular open-source web-based application for managing Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers.
Webmin offers a simple user interface (UI) to manage users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts, and much more.
The story started when Turkish researcher Özkan Mustafa Akkuş publicly presented a zero-day remote code execution vulnerability in the Webmin at DefCon on August 10, without giving any advance notice to the affected project maintainers.
“We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there’s nothing we can do but fix it ASAP,” said Joe Cooper, one of the project’s developers.
Besides revealing the flaw to the public, Akkuş also released a Metasploit module for this vulnerability that aims to automate the exploitation using the Metasploit framework.
The vulnerability, tracked as CVE-2019-15107, was introduced in a security feature that has been designed to let Webmin administrator enforce a password expiration policy for other users’ accounts.
According to the researcher, the security flaw resides in the password reset page and allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers just by adding a simple pipe command (“|”) in the old password field through POST requests.
In a blog post published today, Cooper said that the team is still investigating how and when the backdoor was introduced, but confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project’s SourceForge repository, and not on the Webmin’s GitHub repositories.
Cooper also stressed that the affected password expiration feature doesn’t come enabled by default for Webmin accounts, which means that most versions are not vulnerable in their default configuration, and the flaw only affects Webmin admins who have manually enabled this feature.
“To exploit the malicious code, your Webmin installation must have Webmin → Webmin Configuration → Authentication → Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” Cooper said.
However, another security researcher on Twitter later revealed that Webmin version 1.890 is affected in the default configuration, as the hackers appear to have modified the source code to enable password expiration feature by default for all Webmin users.
These unusual changes in the Webmin source code were red-flagged by an administrator late last year, but surprisingly, Webmin developers never suspected that it was not their mistake, but the code was actually modified by someone else intentionally.
According to a Shodan search, Webmin has more than 218,000 Internet-exposed instances available at the time of writing, mostly located in the United States, France, and Germany—of which over 13,000 instances are running vulnerable Webmin version 1.890.
Webmin developers have now removed the malicious backdoor in its software to address the vulnerability and released the clean versions, Webmin 1.930 and Usermin version 1.780.
The latest Webmin and Usermin releases also address a handful of cross-site scripting (XSS) vulnerabilities that were responsibly disclosed by a different security researcher who has been rewarded with a bounty.
So, Webmin administrators are strongly recommended to update their packages as soon as possible.