Webmin build infrastructure inserted backdoor

Webmin's 2019 backdoor was not born in the public Git tree. The project later explained that its development build server had been compromised in April 2018 and that password_change.cgi was modified there. The timestamp was set back, so the poisoned local build file did not appear as a suspicious Git diff.

The first affected release, Webmin 1.890, shipped with a root command execution backdoor that was exploitable in a default install. The vulnerable file was later reverted from GitHub, but in July 2018 the attacker modified it again. This second version reached Webmin 1.900 through 1.920, where exploitation required the expired-password-change feature to be enabled.

The malicious line was short. In the password-change path, attacker-controlled input reached Perl command execution through a qx/.../ expression. Because Webmin commonly runs as root, a remote command reached the operating system with root privileges.

The compromise survived a build-server replacement in September 2018 because the old build directory was restored from backup onto the new host. A public exploit release in August 2019 disclosed the issue. Webmin removed the code, released 1.930, rotated secrets from the old build system, and changed the build process to use checked-in GitHub code instead of a synced local directory.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• DEFCON Webmin 1.920 Unauthenticated Remote Command Executionpentest.com.tr
• Webmin 1.890 Exploit - What Happenedwebmin.com
• Webmin Security: Remote Command Execution CVE-2019-15231webmin.com
• Backdoor Found in Utility for Linux, Unix Serversthreatpost.com
• Backdoor found in Webmin, a popular web-based utility for managing Unix serverszdnet.com
• NVD: CVE-2019-15107nvd.nist.gov