|
COMMAND Webmin/Usermin Session ID Spoofing Vulnerability SYSTEMS AFFECTED Webmin Version: 0.960 Usermin Version: 0.90 PROBLEM Keigo Yamazaki of LAC Co.,Ltd [http://www.lac.co.jp/] found : Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Internal communication between the parent process and the child process using named pipes occur in these software packages during creation or verification of a session ID, or during the setting process of password timeouts. Because the control characters contained in the data passed as authentication information are not eliminated, it is possible to make Webmin and Usermin to acknowledge the combination of any user and session ID specified by an attacker. If the attacker could log into Webmin by using this problem, there is a possibility that arbitrary commands may be executed with root privileges. [Preconditions for a successful exploit] In the case of Webmin : * Webmin->Configuration->Authentication \"Enable password timeouts\" is enabled * if a valid Webmin username is known by default, user \"admin\" exists and this user can use all the functions, including command shell In the case of Usermin: * if password timeout is enabled * if a valid Usermin username is known SOLUTION This problem can be eliminated by upgrading to Webmin version 0.970/ Usermin version 0.910, which are available at: http://www.webmin.com/