In the package , which provides tools for remote server management, backdoor () found in the official builds of the project, via Sourceforge and on the main site. The backdoor was present in builds from 1.882 to 1.921 inclusive (there was no code with a backdoor in the git repository) and allowed to execute arbitrary shell commands remotely without authentication in a system with root rights.
For an attack, it is enough to have an open network port with Webmin and the activity in the web interface of the old password change function (enabled by default in builds 1.890, but disabled in other versions). Problem в 1.930. As a temporary measure to block the backdoor, it is enough to remove the “passwd_mode=” setting from the /etc/webmin/miniserv.conf configuration file. Prepared for testing .
The problem was in the password_change.cgi script, in which to check the old password entered in the web form the unix_crypt function, which is passed the password received from the user without escaping special characters. In the git repository, this function wrapping over the Crypt::UnixCrypt module and is not dangerous, but the code archive supplied on the Sourceforge site calls code that directly accesses /etc/shadow, but does this using a shell construct. To attack, it is enough to enter the symbol "|" in the field with the old password. and the code following it will be executed as root on the server.
On Webmin developers, the malicious code was substituted as a result of a compromise of the project's infrastructure. Details have not yet been released, so it is not clear whether the hack was limited to taking control of the Sourceforge account or affected other elements of the Webmin development and build infrastructure. The malicious code has been present in the archives since March 2018. The problem also affected . Currently, all boot archives are rebuilt from Git.
Source: opennet.ru