Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"

From: "snsadv () lac co jp" <snsadv () lac co jp>
Date: Mon, 24 Feb 2003 14:30:34 +0900
----------------------------------------------------------------------
SNS Advisory No.62
Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"

Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003 
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------

Overview:
--------
  A vulnerability that could result in a session ID spoofing exists in 
  miniserv.pl, which is a webserver program that gets both Webmin and 
  Usermin to run.

Problem Description:
-------------------
  Webmin is a web-based system administration tool for Unix. Usermin
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration.

  Miniserv.pl is a webserver program that gets both Webmin and Usermin 
  to run.  Miniserv.pl carries out named pipe communication between the 
  parent and the child process during for example, the creation and 
  confirmation of a session ID (session used for access control via the 
  Web) and during the password timeout process. 

  Miniserv.pl does not check whether metacharacters, such as line feed 
  or carriage return, are included with BASE64 encoded strings during 
  the BASIC authentication process.  As a result, any user can login as 
  an administrative user "admin" and spoof a session ID by using the pipe. 

  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root.

  [Preconditions for the exploit]
      Webmin:
         * Webmin -> Configuration -> Authentication and "Enable password
           timeouts" is ON
         * a valid Webmin username is known

      Usermin:
         * "Enable password timeouts" is ON
         * a valid Webmin username is known
  
Tested Versions:
---------------
  Webmin Version: 1.060
  Usermin Version: 0.990 

Solution:
--------
  This problem can be eliminated by upgrading to Webmin version 1.070 
  and Usermin version 1.000 available at:

  http://www.webmin.com/ 

Discovered by:
-------------
  Keigo Yamazaki

Acknowledgements:
----------------
  Thanks to:
  Jamie Cameron

Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is.  Users shall take their own risk when 
  taking any actions following reading this advisory.  LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or by 
  the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/security/english/snsadv_e/62_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv () lac co jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
Previous By Date Next
Previous By Thread Next

Current thread: