OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: snsadvlac.co.jp
Date: Wed May 08 2002 - 00:20:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----------------------------------------------------------------------
    SNS Advisory No.53
    Webmin/Usermin Session ID Spoofing Vulnerability

    Problem first discovered: Sat, 4 May 2002
    Published: Tue, 7 May 2002
    ----------------------------------------------------------------------

    Overview:
    ---------
      A vulnerability lies in the communication between the parent process
      and the child process of Webmin and Usermin, which could allow an
      attacker to spoof a session ID as any user already logged in. This
      results in the possibility for users who are not logged in, to be able
      to use these software tools.

    Description:
    ------------
      Webmin is a web-based system administration tool for Unix. Usermin
      is a web interface that allows all users on a Unix system to easily
      receive mails and to perform SSH and mail forwarding configuration.
      
      Internal communication between the parent process and the child process
      using named pipes occur in these software packages during creation or
      verification of a session ID, or during the setting process of password
      timeouts. Because the control characters contained in the data passed
      as authentication information are not eliminated, it is possible to make
      Webmin and Usermin to acknowledge the combination of any user and session
      ID specified by an attacker. If the attacker could log into Webmin by
      using this problem, there is a possibility that arbitrary commands may be
      executed with root privileges.

      [Preconditions for a successful exploit]

      In the case of Webmin :

      * Webmin->Configuration->Authentication
        "Enable password timeouts" is enabled
      * if a valid Webmin username is known
        by default, user "admin" exists and this user can use all the
        functions, including command shell

      In the case of Usermin:

      * if password timeout is enabled
      * if a valid Usermin username is known

    Tested Versions:
    ----------------
      Webmin Version: 0.960
      Usermin Version: 0.90

    Solution:
    ---------
      This problem can be eliminated by upgrading to Webmin version 0.970/
      Usermin version 0.910, which are available at:

      http://www.webmin.com/

    Discovered by:
    --------------
      Keigo Yamazaki

    Disclaimer:
    -----------
      All information in these advisories are subject to change without any
      advanced notices neither mutual consensus, and each of them is released
      as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
      caused by applying those information.