|
To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability Advisory number: CSSA-2003-035.0 Issue date: 2003 November 17 Cross reference: sr882687 fz528142 erg712377 CAN-2003-0101 ______________________________________________________________________________ 1. Problem Description Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Internal communication between the parent process and the child process using named pipes occur in these software packages during creation or verification of a session ID, or during the setting process of password timeouts. Because the control characters contained in the data passed as authentication information are not eliminated, it is possible to make Webmin and Usermin to acknowledge the combination of any user and session ID specified by an attacker. If the attacker could log into Webmin by using this problem, there is a possibility that arbitrary commands may be executed with root privileges. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0101 miniserv.pl in Webmin before 1.070 and Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to webmin-0.89-12.i386.rpm OpenLinux 3.1.1 Workstation prior to webmin-0.89-12.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/RPMS 4.2 Packages 859d9998141394dc96f338087633814b webmin-0.89-12.i386.rpm 4.3 Installation rpm -Fvh webmin-0.89-12.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/SRPMS 4.5 Source Packages 81c76fa65b710248c8108ea17740d88d webmin-0.89-12.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/RPMS 5.2 Packages 2c9048c8c623a9268b5233766890ea1c webmin-0.89-12.i386.rpm 5.3 Installation rpm -Fvh webmin-0.89-12.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/SRPMS 5.5 Source Packages cda66a1795a1a3914041ae920a245381 webmin-0.89-12.src.rpm 6. References Specific references for this advisory: http://www.lac.co.jp/security/english/snsadv_e/53_e.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr882687 fz528142 erg712377. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank Keigo Yamazaki and Jamie Cameron for reporting this issue. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/uT+LbluZssSXDTERAtbcAJ9uRJYy8bBK11z9OStcBEzGSh1wggCfXC+w nARQfC+cEIpatb0lNeChuDA= =BAVd -----END PGP SIGNATURE-----