Submitted via IRC for SoyCow2718
Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it's believed to be an intentional backdoor.
The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.
The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.
[...] A Shodan search shows over 215,000 internet-exposed Webmin instances, mostly located in the United States, France and Germany. However, there are roughly 15,000 results for searches of version 1.890, which is vulnerable in the default configuration.
Source: https://www.securityweek.com/webmin-backdoored-over-year
(Score: 5, Insightful) by epitaxial on Wednesday August 21 2019, @12:31PM (12 children)
Something something many eyes, impossible to do with open source.
(Score: 2) by FatPhil on Wednesday August 21 2019, @12:55PM (10 children)
For example, for the patch that introduced this bug, how many Acked-by, or Reviewed-by signoffs are on the commit?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Wednesday August 21 2019, @12:59PM (3 children)
Nobody did. Reddit thread says the build system was compromised and the github-hosted code is clean
(Score: 4, Informative) by FatPhil on Wednesday August 21 2019, @01:22PM (2 children)
"""
In a blog post published today, Cooper said that the team is still investigating how and when the backdoor was introduced, but confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project's SourceForge repository, and not on the Webmin's GitHub repositories.
"""
So this is nothing to do with many eyes, it's to do with unreliable download sources.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by jmichaelhudsondotnet on Wednesday August 21 2019, @04:39PM (1 child)
Isn't that terrifying? That someone working for sourceforge or who had admin creds is roaming around comprimising software packages?
Not just that the company of soureforge could be corrupt, but that a person is so evil that this is what they wake up in the morning and do.
I'll say it again, there is a type of organization that can make trustworthy things and we should be looking for that type of organization before we start installing.
This word 'opaque' keeps coming up as a bad thing when it comes to trustworthiness...
(Score: 2, Informative) by ThatIrritatingGuy on Wednesday August 21 2019, @05:34PM
Head developer admitted, that an earlier version of exploitable code originated from his machine: "there was a local edit to that file on my packaging system" source [github.com]. That earlier version was detected only because it generated an error, when trying to use the function correctly. In light of this, it is clear that it was not SF that compromised the package.
(Score: 5, Informative) by FatPhil on Wednesday August 21 2019, @01:12PM (2 children)
The bug was never introduced in the first place.
I just cloned github webmin/webmin, as of right now, and looked at where the exploit is:
https://github.com/webmin/webmin/blame/master/password_change.cgi
according to the exploit write-up:
https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
https://pentest.com.tr/images/defwebmin20-4.png
And the exploit isn't in that repo at all. So this must be some forked version.
Bonus points - the guy writing the exploit write-up is either stupid and spouting nonsense, or deliberately deceiving the reader with nonsense. Neither's a particularly desireable state of affairs, and doesn't make him look good at all. Yes AkkuS <Özkan Mustafa Akkuş>, if you google your name to see what people are saying about your vulnerability disclosure (incidentally - irresponsible disclosure, again, that makes you look like a twat), I'm calling you out. The thing he claims is "exactly" the bug *absolutely isn't the bug*. Any perl coder with any experience should immedately be able to detect why/where the code's all qxed up.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by ThatIrritatingGuy on Wednesday August 21 2019, @05:20PM (1 child)
I strongly disagree that the issue was in a forked version.
It is true, that it did not show up in github source, however uploading to SourceForge was part of the release process for the original team [github.com]. For some reason, head developer recently removed [github.com] release instructions mentioning SourceForge from the github repo.
Additionally, the exploit was based on passing URL query value to a qx function, that executes provided string as system command with root privileges. This qx// function showed up in a github issue 947 [github.com], where previously mentioned developer admitted "there was a local edit to that file on my packaging system" and promptly closed the issue. Anyone, that knows perl, should get suspicious, when an unexpected qx shows up in their code.
I don't like conspiracy theories, but I find it very hard to give this developer the benefit of the doubt.
(Score: 2) by FatPhil on Wednesday August 21 2019, @09:13PM
Dear readers, please upmod parent, he makes a good point.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by maxwell demon on Wednesday August 21 2019, @02:38PM (2 children)
Maybe five.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @08:23PM
Odd that you would say that.
(Score: 2) by FatPhil on Wednesday August 21 2019, @09:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:05PM
Wow, an insightful straw man! No one claims it's impossible for Free Software to have bugs or even backdoors, but it's less likely and the incentive to do so isn't as strong. While Free Software will never be perfect, it is far better than to have an actively malicious organization such as Microsoft, Apple, Adobe, etc. have full control over every aspect of the software. Freedom is not perfect, but it is better than the alternative.
I don't believe that you believe in your own nonsense.