[UNIX] Webmin/Usermin Session ID Spoofing Vulnerability

From: support@securiteam.com
Date: 05/08/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  8 May 2002 21:30:39 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Webmin/Usermin Session ID Spoofing Vulnerability
------------------------------------------------------------------------

SUMMARY

A vulnerability lies in the communication between the parent process and
the child process of Webmin and Usermin, which could allow an attacker to
spoof a session ID as any user already logged in. This results in the
possibilities for users who are not logged in, to be able to use these
software tools.

DETAILS

Vulnerable systems:
 * Webmin version 0.960
 * Usermin version 0.90

Immune systems:
 * Webmin version 0.970
 * Usermin version 0.910

Webmin is a web-based system administration tool for UNIX. Usermin is a
web interface that allows all users on a UNIX system to easily receive
mails and to perform SSH and mail forwarding configuration.
 
Internal communication between the parent process and the child process
using named pipes occur in these software packages during creation or
verification of a session ID, or during the setting process of password
timeouts. Because the control characters contained in the data passed as
authentication information are not eliminated, it is possible to make
Webmin and Usermin to acknowledge the combination of any user and session
ID specified by an attacker. If the attacker could log into Webmin by
using this problem, there is a possibility that arbitrary commands may be
executed with root privileges.

Preconditions for a successful exploit:
In the case of Webmin :
 * Webmin->Configuration->Authentication "Enable password timeouts" is
enabled
 * If a valid Webmin username is known by default, user "admin" exists and
this user can use all the functions, including command shell

In the case of Usermin:
 * If password timeout is enabled
 * If a valid Usermin username is known

Solution:
This problem can be eliminated by upgrading to Webmin version
0.970/Usermin version 0.910, which are available at:
<http://www.webmin.com/> http://www.webmin.com/

ADDITIONAL INFORMATION

The information has been provided by <mailto:snsadv@lac.co.jp> Keigo
Yamazaki.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages