Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------
Overview:
--------
A vulnerability that could result in a session ID spoofing exists in
miniserv.pl, which is a webserver program that gets both Webmin and
Usermin to run.
Problem Description:
-------------------
Webmin is a web-based system administration tool for Unix. Usermin
is a web interface that allows all users on a Unix system to easily
receive mails and to perform SSH and mail forwarding configuration.
Miniserv.pl is a webserver program that gets both Webmin and Usermin
to run. Miniserv.pl carries out named pipe communication between the
parent and the child process during for example, the creation and
confirmation of a session ID (session used for access control via the
Web) and during the password timeout process.
Miniserv.pl does not check whether metacharacters, such as line feed
or carriage return, are included with BASE64 encoded strings during
the BASIC authentication process. As a result, any user can login as
an administrative user "admin" and spoof a session ID by using the pipe.
Exploitation therefore, could make it possible for attackers to bypass
authentication and execute arbitrary command as root.
[Preconditions for the exploit]
Webmin:
* Webmin -> Configuration -> Authentication and "Enable password
timeouts" is ON
* a valid Webmin username is known
Usermin:
* "Enable password timeouts" is ON
* a valid Webmin username is known
Solution:
--------
This problem can be eliminated by upgrading to Webmin version 1.070
and Usermin version 1.000 available at:
http://www.webmin.com/
Discovered by:
-------------
Keigo Yamazaki
Acknowledgements:
----------------
Thanks to:
Jamie Cameron
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or by
the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/62_e.html
SNS Advisory No.62
Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"
Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------
Overview:
--------
A vulnerability that could result in a session ID spoofing exists in
miniserv.pl, which is a webserver program that gets both Webmin and
Usermin to run.
Problem Description:
-------------------
Webmin is a web-based system administration tool for Unix. Usermin
is a web interface that allows all users on a Unix system to easily
receive mails and to perform SSH and mail forwarding configuration.
Miniserv.pl is a webserver program that gets both Webmin and Usermin
to run. Miniserv.pl carries out named pipe communication between the
parent and the child process during for example, the creation and
confirmation of a session ID (session used for access control via the
Web) and during the password timeout process.
Miniserv.pl does not check whether metacharacters, such as line feed
or carriage return, are included with BASE64 encoded strings during
the BASIC authentication process. As a result, any user can login as
an administrative user "admin" and spoof a session ID by using the pipe.
Exploitation therefore, could make it possible for attackers to bypass
authentication and execute arbitrary command as root.
[Preconditions for the exploit]
Webmin:
* Webmin -> Configuration -> Authentication and "Enable password
timeouts" is ON
* a valid Webmin username is known
Usermin:
* "Enable password timeouts" is ON
* a valid Webmin username is known
Tested Versions:
---------------
Webmin Version: 1.060
Usermin Version: 0.990
Solution:
--------
This problem can be eliminated by upgrading to Webmin version 1.070
and Usermin version 1.000 available at:
http://www.webmin.com/
Discovered by:
-------------
Keigo Yamazaki
Acknowledgements:
----------------
Thanks to:
Jamie Cameron
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or by
the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/62_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv (at) lac.co (dot) jp [email concealed]>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
[ reply ]