Results 1 to 2 of 2

Thread: Webmin remote exploit

  1. February 25th, 2003, 01:31 AM #1
    Phat_Penguin
    Phat_Penguin is offline
    Senior Member
    Join Date
    May 2002
    Posts
    450

    Webmin remote exploit

    Received this advisory and maybe time to upgrade your webmin if using version 1.05 - 1.06.

    ***************************************

    Attached is an exploit for the latest Webmin vulnerability. It relies on a non-default setting (passdelay) to be enabled.

    Webmin can verify user authentication by use of a session ID (SID) that is assigned when a user successfully authenticates to Webmin. It is possible to inject a fake SID into the session ID database by using a malicious username containing control sequences used internally by Webmin.

    This exploit simply creates a SID of 1234567890 for the user 'admin'. Then, it is a simple case of creating a cookie in your favorite browser containing:

    sid=1234567890; testing=1

    Such that the Cookie HTTP header contains:

    Cookie: sid=1234567890; testing=1

    When the webmin server recieves this cookie, it is verified as an authentic SID and an attacker can take complete control of the Webmin server... this is basically root access to the box it is running on.

    ******************************************

    Overview:
    --------
    A vulnerability that could result in a session ID spoofing exists in miniserv.pl, which is a webserver program that gets both Webmin and Usermin to run.

    Problem Description:
    -------------------
    Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration.

    Miniserv.pl is a webserver program that gets both Webmin and Usermin to run. Miniserv.pl carries out named pipe communication between the parent and the child process during for example, the creation and confirmation of a session ID (session used for access control via the Web) and during the password timeout process.

    Miniserv.pl does not check whether metacharacters, such as line feed or carriage return, are included with BASE64 encoded strings during the BASIC authentication process. As a result, any user can login as an administrative user "admin" and spoof a session ID by using the pipe.

    Exploitation therefore, could make it possible for attackers to bypass authentication and execute arbitrary command as root.

    [Preconditions for the exploit]
    Webmin:
    * Webmin -> Configuration -> Authentication and "Enable password timeouts" is ON
    * a valid Webmin username is known

    Usermin:
    * "Enable password timeouts" is ON
    * a valid Webmin username is known

    Tested Versions:
    ---------------
    Webmin Version: 1.060
    Usermin Version: 0.990

    Solution:
    --------
    This problem can be eliminated by upgrading to Webmin version 1.070 and Usermin version 1.000 available at:

    http://www.webmin.com/

    I prefer not to have webmin running when the modem is up in any case.
    Reply With Quote Reply With Quote
  2. February 25th, 2003, 10:56 AM #2
    instronics
    instronics is offline
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Yikes, i have to admitt that i have not payed much attention to any updates on that product. I use webmin 1.06

    Thanks for telling us.

    (Goes to fix this problem)

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules