Webmin Remote Code Execution Vulnerability

Webmin version 1.882 to 1.921 is vulnerable to Unauthenticated Remote Code Execution Vulnerability. This vulnerability exists in the reset password function that allows a malicious attacker to execute malicious code due to lack of input validation. The targets which have the setting “user password change enabled” are exploitable. This vulnerability has been assigned CVE-2019-15107.

Vulnerability Details:

The flaw is in the “password_change.cgi” file, the &unix_crypt crypt function checks the password against the systems /etc/shadow file. By adding a simple pipe command(“|”) the attacker can exploit this to execute system commands.

Proof Of Concept:

To exploit this vulnerability password_mode should be set to “2” in /etc/webmin/miniserv.conf.

password_mode

This can also be set by using a web interface.

“Webmin>Login>Webmin Configuration>Authentication>Password expiry policy” and set “

password expiry policy

Exploit Screenshot:

webmin_exploit

UPDATE:

For Webmin version 1.890 (downloaded from SourceForge) the exploit works without password_mode=2  , the exploitable parameter is expired.

 

Mitigation:

Webmin has addressed this issue in  Webmin 1.882 to 1.921 – Remote Command Execution.Qualys has released a QID 13548 – Webmin Remote Code Execution Vulnerability to detect the vulnerable machines.Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run/etc/webmin/restart,to mitigate this issue if updating the current version is not feasible.

Please continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

 

Leave a Reply

Your email address will not be published. Required fields are marked *