• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Home
  • About Us
  • Contact Us
  • Block Examples
  • Landing Page

iHash

News and How to's

  • News
    • Rumor
    • Design
    • Concept
    • WWDC
    • Security
    • BigData
  • Apps
    • Free Apps
    • OS X
    • iOS
    • iTunes
      • Music
      • Movie
      • Books
  • How to
    • OS X
      • OS X Mavericks
      • OS X Yosemite
      • Where Download OS X 10.9 Mavericks
    • iOS
      • iOS 7
      • iOS 8
      • iPhone Firmware
      • iPad Firmware
      • iPod touch
      • AppleTV Firmware
      • Where Download iOS 7 Beta
      • Jailbreak News
      • iOS 8 Beta/GM Download Links (mega links) and How to Upgrade
      • iPhone Recovery Mode
      • iPhone DFU Mode
      • How to Upgrade iOS 6 to iOS 7
      • How To Downgrade From iOS 7 Beta to iOS 6
    • Other
      • Disable Apple Remote Control
      • Pair Apple Remote Control
      • Unpair Apple Remote Control
  • Special Offers
  • Contact us

Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers

Aug 20, 2019 by iHash Leave a Comment

linux webmin hacking

Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project’s maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers.

Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructure—that surprisingly persisted into various releases of Webmin (1.882 through 1.921) and eventually remained hidden for over a year.

With over 3 million downloads per year, Webmin is one of the world’s most popular open-source web-based applications for managing Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers.

Webmin offers a simple user interface (UI) to manage users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts, and much more.

The story started when Turkish researcher Özkan Mustafa Akkuş publicly presented a zero-day remote code execution vulnerability in the Webmin at DefCon on August 10, without giving any advance notice to the affected project maintainers.

“We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there’s nothing we can do but fix it ASAP,” said Joe Cooper, one of the project’s developers.

Besides revealing the flaw to the public, Akkuş also released a Metasploit module for this vulnerability that aims to automate the exploitation using the Metasploit framework.

webmin

The vulnerability, tracked as CVE-2019-15107, was introduced in a security feature that has been designed to let Webmin administrator enforce a password expiration policy for other users’ accounts.

According to the researcher, the security flaw resides in the password reset page and allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers just by adding a simple pipe command (“http://thehackernews.com/””) in the old password field through POST requests.

In a blog post published today, Cooper said that the team is still investigating how and when the backdoor was introduced, but confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project’s SourceForge repository, and not on the Webmin’s GitHub repositories.

Cooper also stressed that the affected password expiration feature doesn’t come enabled by default for Webmin accounts, which means that most versions are not vulnerable in their default configuration, and the flaw only affects Webmin admins who have manually enabled this feature.

“To exploit the malicious code, your Webmin installation must have Webmin → Webmin Configuration → Authentication → Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” Cooper said.

However, another security researcher on Twitter later revealed that Webmin version 1.890 is affected in the default configuration, as the hackers appear to have modified the source code to enable password expiration feature by default for all Webmin users.
webmin exploit hacking

These unusual changes in the Webmin source code were red-flagged by an administrator late last year, but surprisingly, Webmin developers never suspected that it was not their mistake, but the code was actually modified by someone else intentionally.

According to a Shodan search, Webmin has more than 218,000 Internet-exposed instances available at the time of writing, mostly located in the United States, France, and Germany—of which over 13,000 instances are running vulnerable Webmin version 1.890.

shodan webmin

Webmin developers have now removed the malicious backdoor in its software to address the vulnerability and released the clean versions, Webmin 1.930 and Usermin version 1.780.

The latest Webmin and Usermin releases also address a handful of cross-site scripting (XSS) vulnerabilities that were responsibly disclosed by a different security researcher who has been rewarded with a bounty.

So, Webmin administrators are strongly recommended to update their packages as soon as possible.

Source link

Share this:

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn

Filed Under: Security Tagged With: backdoor, cyber attacks, cyber crime, Cyber Security, cyber threats, cybersecurity, data breaches, hacker, hacker news, Hackers, hacking, hacking news, how to hack, incident response, information security, LinuxUnix, network security, Planted, popular, risk management, security breaches, security vulnerabilities, Servers, the hacker news, Utility, web applications, Webmin

Special Offers

  • Luminox Black OPS Carbon Quartz Men's Watch XL.8802.F (Store-Display Model) for $199

    Luminox Black OPS Carbon Quartz Men's Watch XL.8802.F (Store-Display Model) for $199
  • Swarovski Vintage Swan Gold Tone Dark Multi-Colored Crystal Necklace (Store-Display Model) for $52

    Swarovski Vintage Swan Gold Tone Dark Multi-Colored Crystal Necklace (Store-Display Model) for $52
  • Accordina Ambient LED Collapsible Wireless Phone Charger for $29

    Accordina Ambient LED Collapsible Wireless Phone Charger for $29
  • Swarovski "Bee A Queen" Rhodium-Plated Crystal Necklace & Earring Set (Store-Display Model) for $84

    Swarovski "Bee A Queen" Rhodium-Plated Crystal Necklace & Earring Set (Store-Display Model) for $84
  • Swarovski New Love Gold Tone Dark Multi-Colored Crystal Necklace (Store-Display Model) for $65

    Swarovski New Love Gold Tone Dark Multi-Colored Crystal Necklace (Store-Display Model) for $65

Reader Interactions

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

E-mail Newsletter

  • Facebook
  • GitHub
  • Instagram
  • Pinterest
  • Twitter
  • YouTube

More to See

Swarovski Vintage Swan Gold Tone Dark Multi-Colored Crystal Necklace (Store-Display Model) for $52

Apr 15, 2021 By iHash

Accordina Ambient LED Collapsible Wireless Phone Charger for $29

Apr 14, 2021 By iHash

Tags

* Apple computer security cyber attacks cyber crime cyber news cybersecurity Cyber Security cyber security news cyber security news today cyber security updates cyber threats cyber updates data breach data breaches google hacker hacker news Hackers hacking hacking news how to hack incident response information security iOS iOS 7 iOS 8 iPad iPhone iPhone 6 Malware microsoft network security OS X Yosemite Privacy ransomware malware risk management security security breaches security vulnerabilities software vulnerability the hacker news update video web applications
Copyright iHash.eu © 2021
We use cookies on this website. By using this site, you agree that we may store and access cookies on your device. Accept Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.