Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
|
|
SecurityTracker Alert ID: 1006160
|
|
SecurityTracker URL: http://securitytracker.com/id?1006160
|
|
CVE Reference: CVE-2003-0101
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Feb 24 2003
|
Impact: Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Secure Net Service (LAC)
|
Version(s): 1.060
|
Description: A session ID spoofing vulnerability was reported in Webmin in the miniserv.pl component script. A remote user may be able to gain root access on the system.
Secure Net Service issued a security advisory warning that miniserv.pl does not properly filter user-supplied input during the BASIC
authentication process. A remote user can inject meta-characters into a Base64-encoded BASIC authentication string to authenticate
as an 'admin' user and spoof a valid session ID. The remote user may be able to execute arbitrary commands on the server with root
privileges.
"Enable password timeouts" must be set in Webmin for this exploit to be successful.
|
Impact: A remote user may be able to gain 'admin' access and then execute commands with root privileges to gain root access on the system.
|
Solution: The vendor has released a fixed version (1.070), available at:
http://www.webmin.com/index.html
|
Vendor URL: www.webmin.com/ (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 24 Feb 2003 14:30:34 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
Subject: [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability
|
----------------------------------------------------------------------
SNS Advisory No.62
Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"
Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------
Overview:
--------
A vulnerability that could result in a session ID spoofing exists in
miniserv.pl, which is a webserver program that gets both Webmin and
Usermin to run.
Problem Description:
-------------------
Webmin is a web-based system administration tool for Unix. Usermin
is a web interface that allows all users on a Unix system to easily
receive mails and to perform SSH and mail forwarding configuration.
Miniserv.pl is a webserver program that gets both Webmin and Usermin
to run. Miniserv.pl carries out named pipe communication between the
parent and the child process during for example, the creation and
confirmation of a session ID (session used for access control via the
Web) and during the password timeout process.
Miniserv.pl does not check whether metacharacters, such as line feed
or carriage return, are included with BASE64 encoded strings during
the BASIC authentication process. As a result, any user can login as
an administrative user "admin" and spoof a session ID by using the pipe.
Exploitation therefore, could make it possible for attackers to bypass
authentication and execute arbitrary command as root.
[Preconditions for the exploit]
Webmin:
* Webmin -> Configuration -> Authentication and "Enable password
timeouts" is ON
* a valid Webmin username is known
Usermin:
* "Enable password timeouts" is ON
* a valid Webmin username is known
Tested Versions:
---------------
Webmin Version: 1.060
Usermin Version: 0.990
Solution:
--------
This problem can be eliminated by upgrading to Webmin version 1.070
and Usermin version 1.000 available at:
http://www.webmin.com/
Discovered by:
-------------
Keigo Yamazaki
Acknowledgements:
----------------
Thanks to:
Jamie Cameron
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or by
the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/62_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
|
|
