|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Cabezon Aurélien (aurelien.cabezon
isecurelabs.com)Date: Mon Oct 22 2001 - 08:35:37 CDT
--[ Webmin 0.88 temporary insecure file creation ]--
Discovered by aurelien.cabezoniSecureLabs.com & Brain Override
christophe.casalegnodigital-network.org
http://www.isecurelabs.com/article.php?sid=148
Affected versions: v0.80, v0.88
Tested and approved on Mandrake 7.2 & Linux Redhat 6.2
--[ Overview ]--
Webmin is a web base administration tools for Linux operating system running
by root.
It suffer from a temporary insecure file creation vulnerability that can
lead to local root compromise.
--[ description ]--
Webmin create temporary insecure files in /tmp, those file are -rwxrwxrwx
(777) and owned by root.
Everyone can modify this kind of file during the execution of each system
command written is the temp file and add a command that will be executed by
the root.
This is a way to gain root privilege, to create files, modify files ...
Exemple: add cp /bin/sh /tmp/.backdoor at the end of the file and it will be
executed, giving you a root shell in /tmp
--[ Fix ]--
The problem is located in the script run.cgi that create the temporary file
giving it bad permissions.
------
$temp = &tempname();
open(TEMP,">$temp");
...blablabla...
chmod(0777, $temp);
------
To fix, change the line chmod(0777, $temp);
to chmod(0700, $temp);
Jamie Cameron (Webmin coder) has been contacted.
--[ informations ]--
http://www.webmin.com/webmin/
http://www.isecurelabs.com/article.php?sid=148
EOF
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]