A zero day has been released for the system administrator tool webmin

Summary:

Today’s exploit of the day is one affecting the popular system administrator tool Webmin that is know to run on port 10000.

A bug has been found in the reset password function that allows

a malicious third party to execute malicious code due to lack of input validation.

Affecting:

Webmin up to the latest version 1.920 instances which has the setting “user password change enabled”

The vulnerability has been given the CVE CVE-2019-15107

as the time of writing this(2019-08-16) the vulnerability still exists in the latest version you can download from webmin’s official site

Vulnerable code in version 1.920

computer@box:/tmp/webmin-1.920$ cat -n password_change.cgi | head -n 176 | tail -29 148 149 # Read shadow file and find user 150 &lock_file($miniserv{'passwd_file'}); 151 $lref = &read_file_lines($miniserv{'passwd_file'}); 152 for($i=0; $i<@$lref; $i++) { 153 @line = split(/:/, $lref->[$i], -1); 154 local $u = $line[$miniserv{'passwd_uindex'}]; 155 if ($u eq $in{'user'}) { 156 $idx = $i; 157 last; 158 } 159 } 160 defined($idx) || &pass_error($text{'password_euser'}); 161 162 # Validate old password 163 &unix_crypt($in{'old'}, $line[$miniserv{'passwd_pindex'}]) eq 164 $line[$miniserv{'passwd_pindex'}] || 165 &pass_error($text{'password_eold'}); 166 167 # Make sure new password meets restrictions 168 if (&foreign_check("changepass")) { 169 &foreign_require("changepass", "changepass-lib.pl"); 170 $err = &changepass::check_password($in{'new1'}, $in{'user'}); 171 &pass_error($err) if ($err); 172 } 173 elsif (&foreign_check("useradmin")) { 174 &foreign_require("useradmin", "user-lib.pl"); 175 $err = &useradmin::check_password_restrictions( 176 $in{'new1'}, $in{'user'});

Proof of concept

The vulnerability laws in the &unix_crypt crypt function that checks

the passwd against the systems /etc/shadow file

By adding a simple pipe command (“|”) the author is able to exploit

this to execute what ever code he wants.

The pipe command is like saying and in the context

of “execute this command and this”

here does the author prove that this is exploitable

very easy with just a simple POST request.

Webmin has not had a public statement or patch being announced yet meaning everyone who is running webmin is running a vulnerable version and should take it offline until further notice.

It is still very unclear on how many public instances of webmin are public

on the internet a quick search on shodan finds a bit over 13 0000.

External links:

Webmin on wikipedia

Webmin in nmap

Authors blog post

Archived link of the authors blog post

Nist CVE

Shodan

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series

where we write a shorter description about interesting

exploits that we index.