SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Webmin Vendors:   Cameron, Jamie
Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
SecurityTracker Alert ID:  1006160
SecurityTracker URL:  http://securitytracker.com/id/1006160
CVE Reference:   CVE-2003-0101   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Feb 24 2003
Impact:   Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.060
Description:   A session ID spoofing vulnerability was reported in Webmin in the miniserv.pl component script. A remote user may be able to gain root access on the system.

Secure Net Service issued a security advisory warning that miniserv.pl does not properly filter user-supplied input during the BASIC authentication process. A remote user can inject meta-characters into a Base64-encoded BASIC authentication string to authenticate as an 'admin' user and spoof a valid session ID. The remote user may be able to execute arbitrary commands on the server with root privileges.

"Enable password timeouts" must be set in Webmin for this exploit to be successful.

Impact:   A remote user may be able to gain 'admin' access and then execute commands with root privileges to gain root access on the system.
Solution:   The vendor has released a fixed version (1.070), available at:

http://www.webmin.com/index.html

Vendor URL:  www.webmin.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(EnGarde Issues Fix) WebTool Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
EnGarde has released a fix.
(HP Issues Fix) Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
HP has released a fix.
Jun 10 2003 (SGI Issues Fix for WebSetup) Re: Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
SGI has issued a fix for WebSetup (WebMin).
Jun 13 2003 (Debian Issues Fix) Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
Debian has released a fix.
Nov 18 2003 (SCO Issues Fix for OpenLinux) Re: Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
SCO has issued a fix for SCO OpenLinux 3.1.1.



 Source Message Contents

Subject:  [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability


----------------------------------------------------------------------
SNS Advisory No.62
Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"

Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003 
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------

Overview:
--------
  A vulnerability that could result in a session ID spoofing exists in 
  miniserv.pl, which is a webserver program that gets both Webmin and 
  Usermin to run.

Problem Description:
-------------------
  Webmin is a web-based system administration tool for Unix. Usermin
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration.

  Miniserv.pl is a webserver program that gets both Webmin and Usermin 
  to run.  Miniserv.pl carries out named pipe communication between the 
  parent and the child process during for example, the creation and 
  confirmation of a session ID (session used for access control via the 
  Web) and during the password timeout process. 

  Miniserv.pl does not check whether metacharacters, such as line feed 
  or carriage return, are included with BASE64 encoded strings during 
  the BASIC authentication process.  As a result, any user can login as 
  an administrative user "admin" and spoof a session ID by using the pipe. 

  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root.

  [Preconditions for the exploit]
      Webmin:
         * Webmin -> Configuration -> Authentication and "Enable password
           timeouts" is ON
         * a valid Webmin username is known

      Usermin:
         * "Enable password timeouts" is ON
         * a valid Webmin username is known
  
Tested Versions:
---------------
  Webmin Version: 1.060
  Usermin Version: 0.990 

Solution:
--------
  This problem can be eliminated by upgrading to Webmin version 1.070 
  and Usermin version 1.000 available at:

  http://www.webmin.com/ 

Discovered by:
-------------
  Keigo Yamazaki

Acknowledgements:
----------------
  Thanks to:
  Jamie Cameron

Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is.  Users shall take their own risk when 
  taking any actions following reading this advisory.  LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or by 
  the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/security/english/snsadv_e/62_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC