AOH :: HP Unsorted V :: BT-21294.HTM

Virtualmin Multiple Vulnerabilities
Virtualmin Multiple Vulnerabilities
Virtualmin Multiple Vulnerabilities

Virtualmin Multiple Vulnerabilities

by Filip Palian;%3C/script%3E

#3 Anonymous proxy
The attacker is able to use "Preview Website" featrue to hide hers real
location and conduct attacks on different servers in the Internet.


#4 Information disclousure
It's possible to view and/or copy any file on the server due to system()
in mysql module, which copies any file specified by the user
to Virtualmin temporary dir. Note it's a time based attack as the copied
is almost immediately removed after creation.

#5 Information disclousure
It's possible to view any file on the server because Virtualmin doesn't drop
root privileges to perform some of its actions.

Use the "Execute SQL" feature in the mysql module by passing
"/etc/master.passwd" parameter as the file path to the .sql file:

-- cut --
Output from SQL commands in file /etc/master.passwd ..
ERROR 1064 (42000) at line 3: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'root:$1$HASH_HERE.:0:0::0:0:Charlie
&:/root:/usr/local/bin/' at line 1
-- cut --

#6 Symlink attacks
There are Virtualmin modules which allows the attacker to conduct a
successful symlink attack, which may lead to a full compromise of the

Example for "Backup Virtual Servers":
1) Regular user creates backupdir and symlink:
  $ mkdir virtualmin-backup && ln -s /etc/master.passwd
  $ ls -la /etc/master.passwd
  -rw-------  1 root  wheel  1024 Jan 19 23:08 /etc/master.passwd

2) From the panel regular user creates backup:
  "Backup and Restore" -> "Backup Virtual Servers" and "Destination and

set options to:

  Backup destination [x] File or directory under virtualmin-backup/ - "test"
  Backup format     [x] Single archive file

and create backup by submitting "Backup Now".

3) Regular user now owns the symlinked file:
  $ ls -la /etc/master.passwd
  -rw-------  1 user  user  1024 Jan 21 00:51 /etc/master.passwd

The vendor has provided updates and solutions to all vulnerabilities
described above. Upgrading immediately is strongly recommended for all
Virtualmin users.

Disclosure timeline:
21 VI 2009: Detailed information with examples and PoCs sent to the vendor.
24 VI 2009: Initial vendor response.
25 VI 2009: Few more vulnerabilities with examples and PoCs sent to the
26 VI 2009: Hot fix for the mysql module released by the vendor.
05 VII 2009: New version of the Virtualmin with fixes released by the
14 VII 2009: Security bulletin released.


Best regards,
Filip Palian

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to