[Full-Disclosure] OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability

security_at_sco.com
Date: 11/17/03

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Sidewinder G2"
    To: <announce@lists.caldera.com>, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <security-alerts@linuxsecurity.com>
    Date: Mon, 17 Nov 2003 13:49:24 -0800 (PST)
    
    

    To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability
    Advisory number: CSSA-2003-035.0
    Issue date: 2003 November 17
    Cross reference: sr882687 fz528142 erg712377 CAN-2003-0101
    ______________________________________________________________________________

    1. Problem Description

            Webmin is a web-based system administration tool for Unix. Usermin
            is a web interface that allows all users on a Unix system to
            easily receive mails and to perform SSH and mail forwarding
            configuration.

            Internal communication between the parent process and the child
            process using named pipes occur in these software packages during
            creation or verification of a session ID, or during the setting
            process of password timeouts. Because the control characters
            contained in the data passed as authentication information are
            not eliminated, it is possible to make Webmin and Usermin to
            acknowledge the combination of any user and session ID specified
            by an attacker. If the attacker could log into Webmin by using this
            problem, there is a possibility that arbitrary commands may be
            executed with root privileges.

            The Common Vulnerabilities and Exposures (CVE) project has
            assigned the name CAN-2003-0101 to this issue. This is a
            candidate for inclusion in the CVE list (http://cve.mitre.org),
            which standardizes names for security problems.

            CAN-2003-0101 miniserv.pl in Webmin before 1.070 and Usermin before
            1.000 does not properly handle metacharacters such as line feeds and
            carriage returns (CRLF) in Base-64 encoded strings during Basic
            authentication, which allows remote attackers to spoof a session ID
            and gain root privileges.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------
            OpenLinux 3.1.1 Server prior to webmin-0.89-12.i386.rpm
            OpenLinux 3.1.1 Workstation prior to webmin-0.89-12.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Many
            customers find it easier to use the Caldera System Updater, called
            cupdate (or kcupdate under the KDE environment), to update these
            packages rather than downloading and installing them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/RPMS

            4.2 Packages

            859d9998141394dc96f338087633814b webmin-0.89-12.i386.rpm

            4.3 Installation

            rpm -Fvh webmin-0.89-12.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/SRPMS

            4.5 Source Packages

            81c76fa65b710248c8108ea17740d88d webmin-0.89-12.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/RPMS

            5.2 Packages

            2c9048c8c623a9268b5233766890ea1c webmin-0.89-12.i386.rpm

            5.3 Installation

            rpm -Fvh webmin-0.89-12.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/SRPMS

            5.5 Source Packages

            cda66a1795a1a3914041ae920a245381 webmin-0.89-12.src.rpm

    6. References

            Specific references for this advisory:
                    http://www.lac.co.jp/security/english/snsadv_e/53_e.html
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr882687 fz528142 erg712377.

    7. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    8. Acknowledgements

            SCO would like to thank Keigo Yamazaki and Jamie Cameron for
            reporting this issue.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

    iD8DBQE/uT+LbluZssSXDTERAtbcAJ9uRJYy8bBK11z9OStcBEzGSh1wggCfXC+w
    nARQfC+cEIpatb0lNeChuDA=
    =BAVd
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Sidewinder G2"

    Relevant Pages