Webmin 0day remote code execution

A zero day has been released for the system administrator tool webmin

Webmin logo


Today’s exploit of the day is one affecting the popular system administrator tool Webmin that is know to run on port 10000.
A bug has been found in the reset password function that allows
a malicious third party to execute malicious code due to lack of input validation.


Webmin up to the latest version 1.920 instances which has the setting “user password change enabled”

The vulnerability has been given the CVE CVE-2019-15107

as the time of writing this(2019-08-16) the vulnerability still exists in the latest version you can download from webmin’s official site

Vulnerable code in version 1.920

computer@box:/tmp/webmin-1.920$ cat -n password_change.cgi | head -n 176 | tail -29
   149		# Read shadow file and find user
   150		&lock_file($miniserv{'passwd_file'});
   151		$lref = &read_file_lines($miniserv{'passwd_file'});
   152		for($i=0; $i<@$lref; $i++) {
   153			@line = split(/:/, $lref->[$i], -1);
   154			local $u = $line[$miniserv{'passwd_uindex'}];
   155			if ($u eq $in{'user'}) {
   156				$idx = $i;
   157				last;
   158				}
   159			}
   160		defined($idx) || &pass_error($text{'password_euser'});
   162		# Validate old password
   163		&unix_crypt($in{'old'}, $line[$miniserv{'passwd_pindex'}]) eq
   164			$line[$miniserv{'passwd_pindex'}] ||
   165				&pass_error($text{'password_eold'});
   167		# Make sure new password meets restrictions
   168		if (&foreign_check("changepass")) {
   169			&foreign_require("changepass", "changepass-lib.pl");
   170			$err = &changepass::check_password($in{'new1'}, $in{'user'});
   171			&pass_error($err) if ($err);
   172			}
   173		elsif (&foreign_check("useradmin")) {
   174			&foreign_require("useradmin", "user-lib.pl");
   175			$err = &useradmin::check_password_restrictions(
   176					$in{'new1'}, $in{'user'});

Proof of concept

The vulnerability laws in the &unix_crypt crypt function that checks
the passwd against the systems /etc/shadow file

By adding a simple pipe command (“|”) the author is able to exploit
this to execute what ever code he wants.
The pipe command is like saying and in the context
of “execute this command and this”

Webmin exploit logo

here does the author prove that this is exploitable
very easy with just a simple POST request.

Webmin has not had a public statement or patch being announced yet meaning everyone who is running webmin is running a vulnerable version and should take it offline until further notice.

It is still very unclear on how many public instances of webmin are public
on the internet a quick search on shodan finds a bit over 13 0000.

Webmin shodan

External links:
Webmin on wikipedia
Webmin in nmap
Authors blog post
Archived link of the authors blog post
Nist CVE

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.