SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Usermin Vendors:  Cameron, Jamie
Usermin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Gain User or Root Access
SecurityTracker Alert ID:  1006161
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 24 2003
Impact:  User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Secure Net Service (LAC)
Version(s): 0.990
Description:  A session ID spoofing vulnerability was reported in Usermin in the miniserv.pl component script. A remote user may be able to gain user or root level access on the system.

Secure Net Service issued a security advisory warning that miniserv.pl does not properly filter user-supplied input during the BASIC authentication process. A remote user can inject meta-characters into a Base64-encoded BASIC authentication string to authenticate as a valid user and spoof a valid session ID. The remote user may be able to execute arbitrary commands on the server with user privileges (potentially including root privileges, depending on the user).

"Enable password timeouts" must be set in Usermin for this exploit to be successful.
Impact:  A remote user may be able to gain user access and then execute commands with user or root level privileges to gain access to the system.
Solution:  The vendor has released a fixed version (1.000), available at:

http://www.webmin.com/index6.html
Vendor URL:  www.webmin.com/index6.html (Links to External Site)
Cause:  Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "snsadv@lac.co.jp" <snsadv@lac.co.jp>
Message History:   None.

 Source Message Contents
Date:  Mon, 24 Feb 2003 14:30:34 +0900
From:  "snsadv@lac.co.jp" <snsadv@lac.co.jp>
Subject:  [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"

 

----------------------------------------------------------------------
SNS Advisory No.62
Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"

Problem first discovered on: Wed, 19 Feb 2003
Published on: Mon, 24 Feb 2003 
Previous Issue: http://www.lac.co.jp/security/english/snsadv_e/53_e.html
----------------------------------------------------------------------

Overview:
--------
  A vulnerability that could result in a session ID spoofing exists in 
  miniserv.pl, which is a webserver program that gets both Webmin and 
  Usermin to run.

Problem Description:
-------------------
  Webmin is a web-based system administration tool for Unix. Usermin
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration.

  Miniserv.pl is a webserver program that gets both Webmin and Usermin 
  to run.  Miniserv.pl carries out named pipe communication between the 
  parent and the child process during for example, the creation and 
  confirmation of a session ID (session used for access control via the 
  Web) and during the password timeout process. 

  Miniserv.pl does not check whether metacharacters, such as line feed 
  or carriage return, are included with BASE64 encoded strings during 
  the BASIC authentication process.  As a result, any user can login as 
  an administrative user "admin" and spoof a session ID by using the pipe. 

  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root.

  [Preconditions for the exploit]
      Webmin:
         * Webmin -> Configuration -> Authentication and "Enable password
           timeouts" is ON
         * a valid Webmin username is known

      Usermin:
         * "Enable password timeouts" is ON
         * a valid Webmin username is known
  
Tested Versions:
---------------
  Webmin Version: 1.060
  Usermin Version: 0.990 

Solution:
--------
  This problem can be eliminated by upgrading to Webmin version 1.070 
  and Usermin version 1.000 available at:

  http://www.webmin.com/ 

Discovered by:
-------------
  Keigo Yamazaki

Acknowledgements:
----------------
  Thanks to:
  Jamie Cameron

Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is.  Users shall take their own risk when 
  taking any actions following reading this advisory.  LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or by 
  the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/security/english/snsadv_e/62_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC