Menu
▾
▴
Re: [webmin-l] Compromised Downloads
|
From: Jamie C. <jca...@we...> - 2019-08-17 21:33:52
|
<div dir='auto'>Thanks, I'm looking into this now. I'm guessing off hand that it's not remotely exploitable without an existing login since the password change cgi can't be run unless your already logged in. </div><div class="gmail_extra"><br><div class="gmail_quote">On Aug 17, 2019 1:29 PM, Adam Hostetler <ad...@gm...> wrote:<br type="attribution" /><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I believe the downloads hosted by source forge are compromised. They contain a backdoor in the password_change.cgi, this is related to the "0day" a few days ago. The code does not appear in the current github repo nor in any commits in the past. <div><br /></div><div>Backdoor code:</div><div>if ($wuser) {<!-- --><br /> # Update Webmin user's password<br /> $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});<br /> $enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);<br /> $perr = &acl::check_password_restrictions($in{'user'}, $in{'new1'});<br /> $perr && &pass_error(&text('password_enewpass', $perr));<br /> $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});<br /></div><div><br /></div><div>"old" password is passed to qx, which executes it as a system command</div><div><br /></div><div>See <a href="https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/">https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/</a></div></div>
</blockquote></div><br></div> |
