Webmin password_change.cgi backdoor

2019-08-26T00:00:00
ID SAINT:B99ADDCFC5BBE083A5A4DEE6DA673DDD
Type saint
Reporter SAINT Corporation
Modified 2019-08-26T00:00:00

Description

Added: 08/26/2019

Background

Webmin is a web-based interface for system administration of Unix systems. The Webmin web server listens by default on port 10000/tcp.

Problem

A backdoor in Webmin allows a remote attacker to execute arbitrary commands by sending a POST request for **password_change.cgi** with a specially crafted **old** parameter.

Resolution

Upgrade to Webmin 1.930 or higher.

References

<http://www.webmin.com/exploit.html>
<https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html>

Limitations

Versions other than 1.890 are only affected if changing of expired passwords is enabled, which is not the case by default.