Hi, But you are neglecting to note that if you DO LIMIT that user, he is still not LIMITED in any way. Meaning that if you provide your user with "admin" of the Apache ONLY (only access to the Apache module), but you have still RPC enabled, he is pretty much free to do whatever he wants, even though you have limited him. This is our main point of disagreement with the vendor, RPC shouldn't give you anymore access than that you have provided him via the ACL (the RPC module does not even try to verify what kind of access the 'admin', or in lower versions, any other user, has). Thanks Noam Rathaus CTO Beyond Security Ltd http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Muhammad Faisal Rauf Danka" <mfrdat_private> To: "SecurITeam BugTraq Monitoring" <bugtraqat_private>; <mfrdat_private>; <bugtraqat_private> Sent: Friday, August 30, 2002 11:50 PM Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI) > Yes but wouldn't that be wrong in itself, to give root or admin user access to someone for the purpose of providing "limited access", when it is confirmed that admin or root login account for webmin has full access over all modules. > > <quote> > Vendor response: > The vendor has responded with the following statement: > That's not really a bug, because in standard webmin installs the 'admin' or 'root' use has access to all modules with all privileges, which is equivalent to having a root login. > </quote> > > Regards > -------- > Muhammad Faisal Rauf Danka > > Head of GemSEC / Chief Technology Officer > Gem Internet Services (Pvt) Ltd. > web: www.gem.net.pk > Key Id: 0x784B0202 > Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B > 784B 0202 > > > --- "SecurITeam BugTraq Monitoring" <bugtraqat_private> wrote: > >Hi, > > > >This kind of settings means that a user by the name of 'admin' or 'root' is just > >a normal root with a shell since the RPC interface would allow him to do > >anything. This means that anyone giving "limited" access to their machines, > >appliance, etc, with a user named 'admin' or 'root' is actually giving them > >complete access to the machine (all they need to do is modify /etc/shadow, and > >/etc/passwd, to add their own user, and then simply logon, of course other > >methods such as binding inetd to a /bin/bash is also possible, but would require > >a bit more "work). > > > >Thanks > >Noam Rathaus > >CTO > >Beyond Security Ltd > >http://www.SecurITeam.com > >http://www.BeyondSecurity.com > >----- Original Message ----- > >From: "Muhammad Faisal Rauf Danka" <mfrdat_private> > >To: <bugtraqat_private> > >Sent: Friday, August 30, 2002 6:09 PM > >Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI) > > > > > >> The problem has been fixed several versions before. > >> Current version is 0.990 > >> However I am using version 0.980 of webmin. > >> And the default installation value for rpc in defaultacl file is 2. > >> > >> [root@linux /]# grep "rpc" /home/admin/webmin-0.980/defaultacl > >> rpc=2 > >> [root@linux /]# > >> > > _____________________________________________________________ > --------------------------- > [ATTITUDEX.COM] > http://www.attitudex.com/ > --------------------------- > > _____________________________________________________________ > Promote your group and strengthen ties to your members with emailat_private by Everyone.net http://www.everyone.net/?btn=tag >
This archive was generated by hypermail 2b30 : Sat Aug 31 2002 - 11:21:28 PDT