Miniserv 1.890 Cve

[Vannessa Rataj]

TheSourceForge downloads of Webmin versions 1.890 through 1.920, listed as official downloads on the project's site, were backdoored, such that it contains a remote code execution vulnerability in the 'old' and 'expired' parameters of password_change.cgi.

This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attacker(s) inserted Perl qx statements into the build server's source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled.

If a less-privileged Webmin user is given permission to edit the configuration of the HTTP Tunnel module, he/she could use this to introduce a vulnerability that captures cookies belonging to other Webmin users that use the module.

Less privileged Webmin users (excluding those created by Virtualmin and Cloudmin) can modify arbitrary files with root privileges, and so run commands as root. All systems with additional untrusted Webmin users should upgrade immediately.

Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured.

Webmin releases between these versions contain a vulnerability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately - other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.

Prior Webmin and Usermin versions do not have password timeouts turned on by default, so an attacker can try every possible password for the root or admin user until he/she finds the correct one.

The solution is to enable password timeouts, so that repeated attempts to login as the same user will become progressively slower. This can be done by following these steps :

At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release.

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.

A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install. Neither of these were accidental bugs - rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability.

Writeup of 30 points Hack The Box machine - Chaos. Fun box with several cunning rabbit holes. Access to user flag requirebrute-forcing (guessing) simple password and then executing commands via pdfTex.Path to root flag is cleverly hidden in Mozilla Firefox Password Manager.

There were several of TCP ports open and one UDP port. TCP/10000 and UDP/10000 are related toWebmin, a web-based interface for Unix administration. From http banner we saw exact installedversion - 1.890 - which is little behind currently available (1.900). There is a decent history ofserious vulnerabilites with public exploits available.So looking for exploits was worth a while. And actually there is one - CVE-2019-9624,even with Metasploit module. The only problem is thatin order to exploit this vulnerability, we need valid username and password.

Another clue we could have found examing imap or pop3 with TLS - from TLS certificate Common Name (CN) or Subject Alternative Name (SAN) fields.I examined it with usage of nmap's NSE. From this we obtained the same hostname: chaos.

However, everytime someone uses only relative domain name insted of FQDN,God kills a kitten. Please, think of the kittens. Use full domain names. In case of Hack The Box, domain '.htb' is usually correct.

It was outdate Wordpress installation (ver. 4.9.8), which suffered from 9 vulnerabilities and one of them was Authenticated Code Execution(CVE-2019-9787). Great news. Now I needed to find some valid username and password.

So I had credetians to webmail and no webmail at all. However there was imap service available. Since I had Thunderbirdinstalled, I used it. In Drafts dir there was unfinished message with two attachmets.

Post exploitation phase was fairly quick here. I remembered that I was looking for valid credetians for Webmin panel(in order to try to exploit CVE-2019-9624 vulnerability), but the that I had were invalid. So other angle wasneeded. I noticed several interesting directories in ayush's home.

Mail directory contained mailboxes we have already seen during reconnaissance phase. .app directory containedseveral tools (symlinks to bineries) which could be used to escape restricted shell. That leaves inspectingthe .mozilla directory.

Better. It had stored credentials. Question is, was it password protected? It could be easily checked byimporting profile to Mozilla Firefox instalation or looking for some too to decrypt it offline. And I havefound this nifty tool.

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a newly discovered remote command execution vulnerability found in Webmin versions 1.890 through 1.920. This vulnerability has been present for more than a year and was introduced by a malicious third party.

Because the vulnerability was limited to the Sourceforge distribution, it was able to remain hidden for quite a while. If you only reviewed the problematic file in their GitHub repository, you would never know the project had been compromised. More than likely this limited the reach of the vulnerability, but allowed for the vulnerability to persist longer than it might have otherwise. This vulnerability dates back to at least July 2018 (the release date of version 1.890).

Remote command execution vulnerability is found in Webmin versions 1.882 to 1.921. Of most interest is version 1.890, because the default installation is vulnerable. If you are using this version, it is important to upgrade right away. Other versions are vulnerable to remote command execution if the developer has enabled changing expired passwords, which is not the default behavior.

Another interesting feature of this case includes the fact that the vulnerability was not responsibly disclosed to the maintainers. This puts the maintainers under significant pressure to fix the problem very quickly. This is not an ideal scenario. Snyk is happy to help any security researcher properly disclose vulnerabilities, while the researcher still gets credit. You can find more information about that program here.

Upgrading to 1.930 is strongly recommended regardless of whether you are on the most vulnerable version (1.890) or one of the other compromised versions. If you are unable to upgrade and you are using version 1.900 to 1.9200 you can fix the vulnerability by doing the following.

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.

The backdoor mechanism would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.

The attack surface is enormous -- without taking machines managed through Webmin into account. On its GitHub page, the Webmin team claims their application has "over 1,000,000 installations worldwide." A Shodan search query returns over 215,000 public Webmin instances, which can be attacked without needing to compromise internal networks or to bypass firewalls to reach a Webmin installation.

The project itself is extremely popular among Linux system admnistrators due to the convenience it brings to daily work. Sysadmins can install Webmin on a server and then use their web browser to make modifications to remote Unix systems.

These modifications aren't just basic disk quota updates and the ability to start or stop a few daemons. Webmin can allow system administrators to modify OS settings and internals, create new users, and even update the configurations of apps running on remote systems, such as Apache, BIND, MySQL, PHP, Exim, and many others.

First signs that something was wrong came to light when earlier this, Turkey-based security researcher zkan Mustafa Akkuş found what he initially labeled as a vulnerability in the Webmin source code.

The code was only present in Webmin packages offered for download via SourceForge, but not the GitHub. However, this doesn't reduce the impact of this issue, as the Webmin website lists SourceForge links as the official download URLs.

The Webmin team also didn't specify if the "compromised build infrastructure" was referring to a compromised developer machine where the code was created, or to a compromised SourceForge account, which the hacker might have used to upload their own malicious Webmin version on SourceForge.

3a8082e126