A backdoor mechanism was found in Webmin, a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers.
The backdoor mechanism would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.
Over one million Webmin installs are vulnerable
The attack surface is enormous -- without taking machines managed through Webmin into account. On its GitHub page, the Webmin team claims their application has "over 1,000,000 installations worldwide." A Shodan search query returns over 215,000 public Webmin instances, which can be attacked without needing to compromise internal networks or to bypass firewalls to reach a Webmin installation.
The project itself is extremely popular among Linux system admnistrators due to the convenience it brings to daily work. Sysadmins can install Webmin on a server and then use their web browser to make modifications to remote Unix systems.
These modifications aren't just basic disk quota updates and the ability to start or stop a few daemons. Webmin can allow system administrators to modify OS settings and internals, create new users, and even update the configurations of apps running on remote systems, such as Apache, BIND, MySQL, PHP, Exim, and many others.
The project is huge in the Linux ecosystem, and comes with over 100 modules that expand its core features, support for all major distros, and off-shoot projects like Virtualmin and Usermin.
How the Webmin backdoor was found
However, despite its popularity, the backdoor in Webmin's code remained hidden in the project's source code for more than a year.
First signs that something was wrong came to light when earlier this, Turkey-based security researcher Özkan Mustafa Akkuş found what he initially labeled as a vulnerability in the Webmin source code.
The vulnerability allowed unauthenticated attackers to run code on the servers running the Webmin app.
However, after presenting at such a high-profile conference, other security researchers also started digging into what appeared to be a very dangerous security flaw in a very popular Linux utility.
This additional digging has resulted in new information being discovered over the weekend.
Webmin blames "compromised build infrastructure"
According to one of the Webmin developers, the vulnerability was not the result of a coding mistake, but was actually "malicious code injected into compromised build infrastructure."
The code was only present in Webmin packages offered for download via SourceForge, but not the GitHub. However, this doesn't reduce the impact of this issue, as the Webmin website lists SourceForge links as the official download URLs.
The Webmin team also didn't specify if the "compromised build infrastructure" was referring to a compromised developer machine where the code was created, or to a compromised SourceForge account, which the hacker might have used to upload their own malicious Webmin version on SourceForge.
For its part, Sourceforce said through the voice of its president that the hacker didn't exploit any vulnerability in the platform, and that SourceForge only hosted what the project admins had uploaded through their accounts.
Webmin installs not vulnerable by default
Per Akkuş's initial technical analysis, the vulnerability existed in a Webmin feature that allows Webmin admins to enforce a password expiration policy for Webmin web-based accounts.
If this Webmin feature is enabled, then an attacker can use it to take over a Webmin install by appending shell commands using the "|" character inside an HTTP request sent to the Webmin server.
According to the Webmin team, all versions between 1.882 to 1.921 downloaded from Sourceforge contained the malicious backdoor code.
Webmin version 1.930 was released yesterday, August 18, to remove the backdoor mechanism. This also means backdoored Webmin versions were downloaded hundreds of thousands of times for more than a year, since March 2018.
The good news is that Webmin, in default installs, does not ship with the password expiration feature enabled by default. Webmin admins must make modifications to the Webmin config file to enable the password expiration feature for Webmin accounts, meaning most Webmin installations are most likely safe from exploitation attempts.
The bad news is that the hacker responsible for compromising Webmin's build infrastructure appears to have tried to change the default state of the password expiration feature in Webmin 1.890, when it turned this feature on by default for all Webmin users.
However, the modification was sloppy, and caused errors for some users, who reported the issue to Webmin admins, who then reverted back to the previous off-by-default state with the next release.
"Either way, upgrading to version 1.930 is strongly recommended," the Webmin team said in a security advisory published yesterday.
"Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart."
More vulnerability reports:
- Microsoft August 2019 Patch Tuesday fixes 93 security bugs
- Trend Micro fixes privilege escalation security flaw in Password Manager
- Clever attack uses SQLite databases to hack other apps, malware servers
- Researchers find security flaws in 40 kernel drivers from 20 vendors
- Microsoft warns of two new 'wormable' flaws in Windows Remote Desktop Services
- Vulnerability in Microsoft CTF protocol goes back to Windows XP
- Google will now pay up to $30,000 for reporting a Chrome bug CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic