Webmin Doesn't Clean Env (root exploit)

From: J. Nick Koston (nickat_private)
Date: Sat May 26 2001 - 13:55:35 PDT

Next message: Pauli Ojanpera: "Microsoft Windows Media Player Buffer Overflow Vulnerability"

Previous message: Luki Rustianto: "TWIG SQL query bugs"
Reply: Marcus Meissner: "Re: Webmin Doesn't Clean Env (root exploit)"
Reply: Eugene Tsyrklevich: "Re: Webmin Doesn't Clean Env (root exploit)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.

Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)

It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin.  (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)

You can best see the effects by:

1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars

The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth.  This only seems to
affect webmin 0.84 and earlier.


            Nick

<snip from phpinfo (some vars removed to protect the innocent)>

                                                                  PHP
Variables
                                    
         Variable                                Value
                                    
PHP_SELF                    /test.php
                                    
HTTP_SERVER_VARS            /usr/local/apache/htdocs
["DOCUMENT_ROOT"]                   
                                    
HTTP_SERVER_VARS            text/*, image/*, audio/*, application/*
["HTTP_ACCEPT"]                     
                                    
HTTP_SERVER_VARS            gzip, compress, bzip, bzip2, deflate
["HTTP_ACCEPT_ENCODING"]            
                                    
HTTP_SERVER_VARS            en; q=1.0
["HTTP_ACCEPT_LANGUAGE"]            
                                    
HTTP_SERVER_VARS            localhost
["HTTP_HOST"]                       
                             
HTTP_SERVER_VARS            w3m/0.2.1
["HTTP_USER_AGENT"]     

HTTP_SERVER_VARS["PATH"]
/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin

HTTP_SERVER_VARS            127.0.0.1 
["REMOTE_ADDR"]
                       
HTTP_SERVER_VARS            56523
["REMOTE_PORT"]               

HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
["SCRIPT_FILENAME"]
                              
HTTP_SERVER_VARS            127.0.0.1
["SERVER_ADDR"]           

HTTP_SERVER_VARS            80                             
["SERVER_PORT"]
                                                
HTTP_SERVER_VARS            Apache/1.3.17 (Unix) PHP/4.0.4pl1
["SERVER_SOFTWARE"]                 
                                     
HTTP_SERVER_VARS            CGI/1.1 
["GATEWAY_INTERFACE"]                               
                                    
HTTP_SERVER_VARS            HTTP/1.0
["SERVER_PROTOCOL"]                                                
                                    
HTTP_SERVER_VARS            GET     
["REQUEST_METHOD"]                                              
                                    
HTTP_SERVER_VARS                    
["QUERY_STRING"]                     
                                    
HTTP_SERVER_VARS            /test.php
["REQUEST_URI"]                      
                        
HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
["PATH_TRANSLATED"]                                                     

HTTP_SERVER_VARS            /test.php 
["PHP_SELF"]    
                       
HTTP_SERVER_VARS["argv"]    Array
                            ( 
                            )
                                                             
HTTP_SERVER_VARS["argc"]    0
                              
HTTP_ENV_VARS               10000    
["SERVER_PORT"]           

HTTP_ENV_VARS               CGI/1.1                     
["GATEWAY_INTERFACE"]
                                                                 
HTTP_ENV_VARS["PWD"]        /root/webmin-0.84/apache/
                                
HTTP_ENV_VARS               Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
en-US;
["HTTP_USER_AGENT"]         rv:0.9) Gecko/20010505         
                
HTTP_ENV_VARS["PATH_INFO"]                      
                 
HTTP_ENV_VARS               http://localhost:10000/apache/              
["HTTP_REFERER"]                                                           
                                    
HTTP_ENV_VARS["HTTP_HOST"]  localhost:10000                  
                                    
HTTP_ENV_VARS               Basic YWRtaW46ZGF2ZQ==
["HTTP_AUTHORIZATION"]              
                                                    
HTTP_ENV_VARS               keep-alive
["HTTP_CONNECTION"]                 
                                                                   
HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin
                                    
HTTP_ENV_VARS               gzip,deflate,compress,identity      
["HTTP_ACCEPT_ENCODING"]            
                                    
HTTP_ENV_VARS               /root/webmin-0.84
["SERVER_ROOT"]                      
                                    

....

Next message: Pauli Ojanpera: "Microsoft Windows Media Player Buffer Overflow Vulnerability"
Previous message: Luki Rustianto: "TWIG SQL query bugs"
Reply: Marcus Meissner: "Re: Webmin Doesn't Clean Env (root exploit)"
Reply: Eugene Tsyrklevich: "Re: Webmin Doesn't Clean Env (root exploit)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 12:13:04 PDT