Image: Webmin project

A backdoor mechanism was found in Webmin, a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers.

The backdoor mechanism would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.

Over one million Webmin installs are vulnerable

The attack surface is enormous -- without taking machines managed through Webmin into account. On its GitHub page, the Webmin team claims their application has "over 1,000,000 installations worldwide." A Shodan search query returns over 215,000 public Webmin instances, which can be attacked without needing to compromise internal networks or to bypass firewalls to reach a Webmin installation.

The project itself is extremely popular among Linux system admnistrators due to the convenience it brings to daily work. Sysadmins can install Webmin on a server and then use their web browser to make modifications to remote Unix systems.

These modifications aren't just basic disk quota updates and the ability to start or stop a few daemons. Webmin can allow system administrators to modify OS settings and internals, create new users, and even update the configurations of apps running on remote systems, such as Apache, BIND, MySQL, PHP, Exim, and many others.

The project is huge in the Linux ecosystem, and comes with over 100 modules that expand its core features, support for all major distros, and off-shoot projects like Virtualmin and Usermin.

How the Webmin backdoor was found

However, despite its popularity, the backdoor in Webmin's code remained hidden in the project's source code for more than a year.

First signs that something was wrong came to light when earlier this, Turkey-based security researcher Özkan Mustafa Akkuş found what he initially labeled as a vulnerability in the Webmin source code.

The vulnerability allowed unauthenticated attackers to run code on the servers running the Webmin app.

The bug received a vulnerability ID of CVE-2019-15107, and Akkuş presented his finding at the AppSec Village at the DEF CON 27 security conference held in Las Vegas at the start of the month.

However, after presenting at such a high-profile conference, other security researchers also started digging into what appeared to be a very dangerous security flaw in a very popular Linux utility.

This additional digging has resulted in new information being discovered over the weekend.

Webmin blames "compromised build infrastructure"

According to one of the Webmin developers, the vulnerability was not the result of a coding mistake, but was actually "malicious code injected into compromised build infrastructure."

The code was only present in Webmin packages offered for download via SourceForge, but not the GitHub. However, this doesn't reduce the impact of this issue, as the Webmin website lists SourceForge links as the official download URLs.

The Webmin team also didn't specify if the "compromised build infrastructure" was referring to a compromised developer machine where the code was created, or to a compromised SourceForge account, which the hacker might have used to upload their own malicious Webmin version on SourceForge.

For its part, Sourceforce said through the voice of its president that the hacker didn't exploit any vulnerability in the platform, and that SourceForge only hosted what the project admins had uploaded through their accounts.

Webmin installs not vulnerable by default

Per Akkuş's initial technical analysis, the vulnerability existed in a Webmin feature that allows Webmin admins to enforce a password expiration policy for Webmin web-based accounts.

If this Webmin feature is enabled, then an attacker can use it to take over a Webmin install by appending shell commands using the "|" character inside an HTTP request sent to the Webmin server.

According to the Webmin team, all versions between 1.882 to 1.921 downloaded from Sourceforge contained the malicious backdoor code.

Webmin version 1.930 was released yesterday, August 18, to remove the backdoor mechanism. This also means backdoored Webmin versions were downloaded hundreds of thousands of times for more than a year, since March 2018.

The good news is that Webmin, in default installs, does not ship with the password expiration feature enabled by default. Webmin admins must make modifications to the Webmin config file to enable the password expiration feature for Webmin accounts, meaning most Webmin installations are most likely safe from exploitation attempts.

The bad news is that the hacker responsible for compromising Webmin's build infrastructure appears to have tried to change the default state of the password expiration feature in Webmin 1.890, when it turned this feature on by default for all Webmin users.

However, the modification was sloppy, and caused errors for some users, who reported the issue to Webmin admins, who then reverted back to the previous off-by-default state with the next release.

"Either way, upgrading to version 1.930 is strongly recommended," the Webmin team said in a security advisory published yesterday.

"Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart."

More vulnerability reports: