Secret backdoor inserted into Webmin tool

A secret backdoor has been discovered implanted into Unix administration tool Webmin that could allow anyone with knowledge of it to execute commands as a root user.

The backdoor in Webmin version 1.890 was uncovered at the DEF CON 2019 security conference by Turkey-based researcher Özkan Mustafa Akkuş, and originally labelled as a command injection vulnerability.

But according to Webmin author Jamie Cameron, the exploit was not an accidental bug. Instead, the Webmin source code appears to have been maliciously modified to add a hidden vulnerability.

Cameron has traced the modification to an incident in April last year involving the Webmin development build server being exploited. The vulnerability was added to one of Webmin's scripts, and the timestamp of the modified script was set back so that the modification was not detected.

The same backdoor is present in versions 1.900 to 1.920 of the tool, but is only exploitable if an administrator had enabled the feature to allow the changing of expired passwords.

The 1.900 version initially reverted to using the previously valid version of the script, but attackers appear to have again edited the file to insert the modified backdoor.

The modified code was only present in the Webmin packages offered over SourceForge rather than GitHub.

Webmin was informed of a zero-day exploit making use of the vulnerability in August. In response, the exploit code was removed and a new version — 1.930 — created and released to users.

As a result of the incident, the Webmin team is updating the build process to only use checked-in code from GitHub. The company is also auditing all GitHub check-ins over the last year to look for similar vulnerabilities.

Image credit: ©iStockphoto.com