SoylentNews is people
SoylentNews
from the creeping-around-the-back-door dept.
Submitted via IRC for SoyCow2718
Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it's believed to be an intentional backdoor.
The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.
The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.
[...] A Shodan search shows over 215,000 internet-exposed Webmin instances, mostly located in the United States, France and Germany. However, there are roughly 15,000 results for searches of version 1.890, which is vulnerable in the default configuration.
Source: https://www.securityweek.com/webmin-backdoored-over-year
(Score: 3, Interesting) by Snospar on Wednesday August 21 2019, @10:06AM (3 children)
When did SourceForge stop being a site you could trust? Oh, were they bought up by someone or other? Seems like it's way past time to trust source code (or indeed anything) downloaded from there.
Good that...
Presumably the major distros get code from GitHub rather than SF?
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 1, Informative) by Anonymous Coward on Wednesday August 21 2019, @10:32AM (2 children)
You do realize that SF was in the same deal as /.? Dime is who you can thank for all that.
(Score: 3, Insightful) by isostatic on Wednesday August 21 2019, @11:46AM (1 child)
Since then it was bought by someone who genuinely seems to be trying to turn it round.
(Score: 2) by DannyB on Wednesday August 21 2019, @04:34PM
But well after Dice destroyed any trust that anyone once had.
Trust is hard to earn, easy to destroy.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 5, Insightful) by epitaxial on Wednesday August 21 2019, @12:31PM (12 children)
Something something many eyes, impossible to do with open source.
(Score: 2) by FatPhil on Wednesday August 21 2019, @12:55PM (10 children)
For example, for the patch that introduced this bug, how many Acked-by, or Reviewed-by signoffs are on the commit?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Wednesday August 21 2019, @12:59PM (3 children)
Nobody did. Reddit thread says the build system was compromised and the github-hosted code is clean
(Score: 4, Informative) by FatPhil on Wednesday August 21 2019, @01:22PM (2 children)
"""
In a blog post published today, Cooper said that the team is still investigating how and when the backdoor was introduced, but confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project's SourceForge repository, and not on the Webmin's GitHub repositories.
"""
So this is nothing to do with many eyes, it's to do with unreliable download sources.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by jmichaelhudsondotnet on Wednesday August 21 2019, @04:39PM (1 child)
Isn't that terrifying? That someone working for sourceforge or who had admin creds is roaming around comprimising software packages?
Not just that the company of soureforge could be corrupt, but that a person is so evil that this is what they wake up in the morning and do.
I'll say it again, there is a type of organization that can make trustworthy things and we should be looking for that type of organization before we start installing.
This word 'opaque' keeps coming up as a bad thing when it comes to trustworthiness...
(Score: 2, Informative) by ThatIrritatingGuy on Wednesday August 21 2019, @05:34PM
Head developer admitted, that an earlier version of exploitable code originated from his machine: "there was a local edit to that file on my packaging system" source [github.com]. That earlier version was detected only because it generated an error, when trying to use the function correctly. In light of this, it is clear that it was not SF that compromised the package.
(Score: 5, Informative) by FatPhil on Wednesday August 21 2019, @01:12PM (2 children)
The bug was never introduced in the first place.
I just cloned github webmin/webmin, as of right now, and looked at where the exploit is:
https://github.com/webmin/webmin/blame/master/password_change.cgi
according to the exploit write-up:
https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
https://pentest.com.tr/images/defwebmin20-4.png
And the exploit isn't in that repo at all. So this must be some forked version.
Bonus points - the guy writing the exploit write-up is either stupid and spouting nonsense, or deliberately deceiving the reader with nonsense. Neither's a particularly desireable state of affairs, and doesn't make him look good at all. Yes AkkuS <Özkan Mustafa Akkuş>, if you google your name to see what people are saying about your vulnerability disclosure (incidentally - irresponsible disclosure, again, that makes you look like a twat), I'm calling you out. The thing he claims is "exactly" the bug *absolutely isn't the bug*. Any perl coder with any experience should immedately be able to detect why/where the code's all qxed up.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by ThatIrritatingGuy on Wednesday August 21 2019, @05:20PM (1 child)
I strongly disagree that the issue was in a forked version.
It is true, that it did not show up in github source, however uploading to SourceForge was part of the release process for the original team [github.com]. For some reason, head developer recently removed [github.com] release instructions mentioning SourceForge from the github repo.
Additionally, the exploit was based on passing URL query value to a qx function, that executes provided string as system command with root privileges. This qx// function showed up in a github issue 947 [github.com], where previously mentioned developer admitted "there was a local edit to that file on my packaging system" and promptly closed the issue. Anyone, that knows perl, should get suspicious, when an unexpected qx shows up in their code.
I don't like conspiracy theories, but I find it very hard to give this developer the benefit of the doubt.
(Score: 2) by FatPhil on Wednesday August 21 2019, @09:13PM
Dear readers, please upmod parent, he makes a good point.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by maxwell demon on Wednesday August 21 2019, @02:38PM (2 children)
Maybe five.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @08:23PM
Odd that you would say that.
(Score: 2) by FatPhil on Wednesday August 21 2019, @09:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:05PM
Wow, an insightful straw man! No one claims it's impossible for Free Software to have bugs or even backdoors, but it's less likely and the incentive to do so isn't as strong. While Free Software will never be perfect, it is far better than to have an actively malicious organization such as Microsoft, Apple, Adobe, etc. have full control over every aspect of the software. Freedom is not perfect, but it is better than the alternative.
I don't believe that you believe in your own nonsense.
(Score: 3, Informative) by Revek on Wednesday August 21 2019, @01:12PM (6 children)
I use it for my machines. I do not however expose them to the internet. I use a ssh tunnel to access it on all of my machines.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Wednesday August 21 2019, @01:15PM (4 children)
(about line 40). Where did you get the package you're using from?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Revek on Thursday August 22 2019, @05:58AM (3 children)
I got my installation from the repo on webmin.com. It really doesn't matter that the software isn't secure. I don't have it accessible, except though localhost.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Thursday August 22 2019, @11:11AM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Revek on Friday August 23 2019, @07:49PM (1 child)
No I'm not. All of my machines have public IP addresses since they do public things. Some are for web services, others for DNS. I have every machine firewalled with only SSH accessible from certain IP addresses. I've been using webmin for years and have never had any serious issues with how they handle system configurations. What issues I have had were easily fixed. Its small light and capable, their trust has been earned. I have never trusted miniserv though. That is why its always been safely behind the firewall and on a non standard port at that. What ever bug you are looking at did not affect any of my machines. But by all means do not trust them, trust ISPConfig or you could just config them all without the aid of a GUI. I still do that sometimes to keep the skills fresh.
This page was generated by a Swarm of Roaming Elephants
(Score: 2) by FatPhil on Saturday August 24 2019, @11:48AM
> No I'm not.
> I've been using webmin for years ... their trust has been earned
I have nothing more to say, both of our positions are clear, and only one is self-contradictory.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by jmichaelhudsondotnet on Wednesday August 21 2019, @04:36PM
When I used it that's what I did too, this isn't really software that should be net facing.
But it sure is handy geez, real swiss army software.
Glad to read it sounds like it wasn't a failure of the devs but sourceforge.
(Score: -1, Troll) by Anonymous Coward on Wednesday August 21 2019, @06:04PM
use adminer instead.
(Score: 2) by PartTimeZombie on Wednesday August 21 2019, @09:27PM (1 child)
Have been testing Webmin on a CentOS box I have going spare, and just did what the webmin site told me to do:
And they were.
Webmin seems to be incredibly powerful, although I could not seem to get the LDAP client to work, and it also felt really weird using it, sort of like cheating. I kept opening configs just to try to figure out what it was doing.
I am in no way an expert, maybe I did it wrong?
Oh, also it buggered up samba. A share I made was no longer accessible.
Sorry guys, I'm not really looking for support. :-)
(Score: 2) by FatPhil on Saturday August 24 2019, @11:51AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves