SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Webmin Vendors:   Cameron, Jamie
Webmin Creates Insecure Temporary Files That Can Be Modified By Local Users to Cause Webmin to Execute Arbitrary Commands with Root Level Privileges
SecurityTracker Alert ID:  1002615
SecurityTracker URL:  http://securitytracker.com/id/1002615
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 22 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): v0.80, v0.88
Description:   iSecureLabs warned of a temporary file vulnerability was reported in the Webmin system administration tool. Local users can obtain root level access on the host.

It is reported that the Webmin application insecurely creates temporary files in the /tmp directory. The files have global read, write, and execute permissions (-rwxrwxrwx; 777) and are owned by root. Any local user can modify the file to add commands that will be executed by Webmin with root level privileges.

The problem is apparently located in the "run.cgi" script that create the temporary file with insecure permissions:

------
$temp = &tempname();
open(TEMP,">$temp");
...blablabla...
chmod(0777, $temp);
------

The vendor has reportedly been contacted.

Impact:   A local user can cause Webmin to execute commands with root level privileges, giving the local user root level access on the host.
Solution:   No vendor solution was available at the time of this entry.

The author of the report recommends the following fix:

To fix, change the line in the "run.cgi" script from:

chmod(0777, $temp);

to:

chmod(0700, $temp);

Vendor URL:  www.webmin.com/webmin/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested and approved on Mandrake 7.2 & Linux Redhat 6.2

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Webmin 0.88 temporary insecure file creation, root compromise


--[ Webmin 0.88 temporary insecure file creation ]--

Discovered by aurelien.cabezon@iSecureLabs.com & Brain Override
christophe.casalegno@digital-network.org
http://www.isecurelabs.com/article.php?sid=148

Affected versions: v0.80, v0.88
Tested and approved on Mandrake 7.2 & Linux Redhat 6.2

--[ Overview ]--

Webmin is a web base administration tools for Linux operating system running
by root.
It suffer from a temporary insecure file creation vulnerability that can
lead to local root compromise.

--[ description ]--

Webmin create temporary insecure files in /tmp, those file are -rwxrwxrwx
(777) and owned by root.
Everyone can modify this kind of file during the execution of each system
command written is the temp file and add a command that will be executed by
the root.
This is a way to gain root privilege, to create files, modify files ...
Exemple: add cp /bin/sh /tmp/.backdoor at the end of the file and it will be
executed, giving you a root shell in /tmp

--[ Fix ]--

The problem is located in the script run.cgi that create the temporary file
giving it bad permissions.
------
$temp = &tempname();
open(TEMP,">$temp");
...blablabla...
chmod(0777, $temp);
------

To fix, change the line chmod(0777, $temp);
to chmod(0700, $temp);

Jamie Cameron (Webmin coder) has been contacted.


--[ informations ]--
http://www.webmin.com/webmin/
http://www.isecurelabs.com/article.php?sid=148

EOF



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC