On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.
“Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root,” Jamie Cameron, the author of Webmin, wrote in an explanation of the incident.
Webmin is a systems-management user interface tool that’s widely used in Unix-based environments, and Usermin is a webmail client. On Saturday the developer released an emergency update for the tools to address several cross-site scripting vulnerabilities, as well as a serious remote-code execution flaw that the developers say was inserted into the codebase on purpose. The vulnerability only appears in the version of the code that was released on Sourceforge and not the version that was on GitHub. The backdoor was first introduced in version 1.890 and was also included in 1.900 and 1.920.
Cameron said that the Webmin build system was compromised sometime in April 2018 and the attacker was able to add the malicious code into the codebase. The attacker then rolled the timestamp on the build back to prevent anyone from noticing the new addition.
“It appears that a build/test system was compromised some time last year and the exploited added to code in the directory from which packages are built (and file timestamps modified to make this change not show up in a git diff),” Cameron said in an email.
“How the exploit happened is impossible to determine at this point, as the machine in question has been decommissioned. Unfortunately before this the directory was copied to a new build host, so a limited version of the exploit persisted into future versions.”
“How the exploit happened is impossible to determine at this point, as the machine in question has been decommissioned."
The vulnerability that the attacker added to the Webmin code is a subtle one that was present in default configurations in Webmin 1.890. If Webmin was configured to prompt users to change their passwords once they’ve expired, the vulnerability was present and could be exploited remotely. The modified code went unnoticed for several months.
“The vulnerable file was reverted to the checked-in version from Github, but sometime in July 2018 the file was modified again by the attacker. However, this time the exploit was added to code that is only executed if changing of expired passwords is enabled,” Cameron said in his explanation.
“On September 10th 2018, the vulnerable build server was decomissioned and replaced with a newly installed server running CentOS 7. However, the build directory containing the modified file was copied across from backups made on the original server.”
The updated versions are Webmin 1.930 and Usermin 1.780. An exploit for the Webmin vulnerability is available publicly, adding to the urgency to install the patched version. During the DEF CON conference earlier this month, details of the Webmin vulnerability became public and exploit code is easily available. Cameron and the Wenmin development team were only notified of the vulnerability on August 17 and then set about finding and removing the vulnerable code.
“Since the change wasn't made by me or any other developer, and was hidden via use of a tricky Perl operation that didn't make it clear that this could be used as an exploit,” he said in his email to Decipher.