Backdoor was intentionally planted in 2018 and found during the DEF CON 2019 security conference when researchers stumbled upon malicious code.
Backdoor Linux- In an unnerving twist, when a critical zero-day vulnerability was reported in a Unix administration tool, called Webmin, it was revealed the flaw was no accident. According to researchers, the vulnerability was a secret backdoor planted in the popular utility nearly a year before its discovery.
The backdoor gave anyone with knowledge of its existence the ability to execute commands as root, meaning an attacker could take control of the targeted endpoint. According to Jamie Cameron, the author of Webmin, the bogus version was 1.890. Two additional versions were found with near identical backdoor code, version 1.900 and 1.920.
“Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” Cameron wrote in a post outlining the issues.
According to Cameron, the Webmin development build server was compromised on April 2018. He said that’s when a vulnerability was added to the “password_change.cgi” script. Cameron explained, by backdating the file it was reverted to a Github “checked-in” version of code and escaped scrutiny. The code then shipped with the 1.890 version of the Webmin release.
Then in July 2018, the malicious actor behind the vulnerable version of the “password_change.cgi” script updated the file again. This time the change impacted the Webmin 1.900 release. “This time the exploit was added to code that is only executed if changing of expired passwords is enabled,” the author wrote.
Things got interesting in Sept. 2018 when the vulnerable build server was decomissioned and replaced with a newly installed server running CentOS 7. However, the vulnerable code “was copied across from backups made on the original server,” the author explained.
Either way, the bug only impacted systems with a specific configuration. “To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” according to a description of the bug.