OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marcus Meissner (Marcus.Meissnercaldera.de)
Date: Wed May 30 2001 - 10:49:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________
                       Caldera International, Inc. Security Advisory

    Subject: webmin root account leak
    Advisory number: CSSA-2001-019.0
    Issue date: 2001 May, 30
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

       When starting system daemons from the webmin webfrontend, webmin
       does not clear its environment variables. Since these variables
       contain the authorization of the administrator, any daemon gets
       these variables.

       If the apache web server has been (re)started from webmin, a simple
       attack would be to write a CGI scripts which just dumps all environment
       variables, which contain the root password in a base64 encoded string.

       This is just a preliminary advisory until we have fixed packages
       available.

    2. Vulnerable Versions

       System Package
       -----------------------------------------------------------
       OpenLinux 2.3 not vulnerable

       OpenLinux eServer 2.3.1 All webmin packages.
       and OpenLinux eBuilder

       OpenLinux eDesktop 2.4 All webmin packages.

    3. Solution

       Workaround

          Disable the webmin service until fixed packages are available.

          Reboot your machine to make sure all daemons are restarted without
          tainted environment variables, or at least run as root:

                  /etc/rc.d/init.d/httpd stop
            /etc/rc.d/init.d/httpd start

          to avoid trivial exploits.

       We will release fixed packages in the next few days.

    4. Disclaimer

       Caldera International, Inc. is not responsible for the misuse of
       any of the information we provide on this website and/or through our
       security advisories. Our advisories are a service to our customers
       intended to promote secure installation and use of Caldera OpenLinux.

    5. Acknowledgements:

       Caldera International does acknowledge J. Nick Koston for reporting
       the problem, but would appreciate if vendors would get notified first
       before posting to BugTraq.
    ______________________________________________________________________________
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.5 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7FRYJ18sy83A/qfwRAjHeAJ9VzIKZR0aBrFBilQgk/WePVt1fVQCdEAXH
    wrDu8oI2Z7jShz9XsPLEosg=
    =sF1+
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: announce-unsubscribelists.caldera.com
    For additional commands, e-mail: announce-helplists.caldera.com