---------------------------------------------------------------------- SNS Advisory No.62 Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" Problem first discovered on: Wed, 19 Feb 2003 Published on: Mon, 24 Feb 2003 Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html ---------------------------------------------------------------------- Overview: -------- A vulnerability that could result in a session ID spoofing exists in miniserv.pl, which is a webserver program that gets both Webmin and Usermin to run. Problem Description: ------------------- Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Miniserv.pl is a webserver program that gets both Webmin and Usermin to run. Miniserv.pl carries out named pipe communication between the parent and the child process during for example, the creation and confirmation of a session ID (session used for access control via the Web) and during the password timeout process. Miniserv.pl does not check whether metacharacters, such as line feed or carriage return, are included with BASE64 encoded strings during the BASIC authentication process. As a result, any user can login as an administrative user "admin" and spoof a session ID by using the pipe. Exploitation therefore, could make it possible for attackers to bypass authentication and execute arbitrary command as root. [Preconditions for the exploit] Webmin: * Webmin -> Configuration -> Authentication and "Enable password timeouts" is ON * a valid Webmin username is known Usermin: * "Enable password timeouts" is ON * a valid Webmin username is known Tested Versions: --------------- Webmin Version: 1.060 Usermin Version: 0.990 Solution: -------- This problem can be eliminated by upgrading to Webmin version 1.070 and Usermin version 1.000 available at: http://www.webmin.com/ Discovered by: ------------- Keigo Yamazaki Acknowledgements: ---------------- Thanks to: Jamie Cameron Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/security/english/snsadv_e/62_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadvat_private> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
This archive was generated by hypermail 2b30 : Mon Feb 24 2003 - 09:09:02 PST