SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Webmin Vendors:   Cameron, Jamie
(SCO Issues Fix for OpenLinux) Re: Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access
SecurityTracker Alert ID:  1008228
SecurityTracker URL:  http://securitytracker.com/id/1008228
CVE Reference:   CVE-2003-0101   (Links to External Site)
Date:  Nov 18 2003
Impact:   Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.060
Description:   A session ID spoofing vulnerability was reported in Webmin in the miniserv.pl component script. A remote user may be able to gain root access on the system.

Secure Net Service issued a security advisory warning that miniserv.pl does not properly filter user-supplied input during the BASIC authentication process. A remote user can inject meta-characters into a Base64-encoded BASIC authentication string to authenticate as an 'admin' user and spoof a valid session ID. The remote user may be able to execute arbitrary commands on the server with root privileges.

"Enable password timeouts" must be set in Webmin for this exploit to be successful.
Impact:   A remote user may be able to gain 'admin' access and then execute commands with root privileges to gain root access on the system.
Solution:   SCO has issued a fix for SCO OpenLinux.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/RPMS

Packages

859d9998141394dc96f338087633814b webmin-0.89-12.i386.rpm

Installation

rpm -Fvh webmin-0.89-12.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/SRPMS

Source Packages

81c76fa65b710248c8108ea17740d88d webmin-0.89-12.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/RPMS

Packages

2c9048c8c623a9268b5233766890ea1c webmin-0.89-12.i386.rpm

Installation

rpm -Fvh webmin-0.89-12.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/SRPMS

Source Packages

cda66a1795a1a3914041ae920a245381 webmin-0.89-12.src.rpm
Vendor URL:  www.webmin.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:   Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 24 2003 Webmin Input Validation Flaw in 'miniserv.pl' May Let Remote Users Spoof Session IDs and Gain Root Access


 Source Message Contents
Date:  Mon, 17 Nov 2003 13:49:24 -0800 (PST)
Subject:  [Full-Disclosure] OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability
Advisory number: 	CSSA-2003-035.0
Issue date: 		2003 November 17
Cross reference:	sr882687 fz528142 erg712377 CAN-2003-0101
______________________________________________________________________________


1. Problem Description

	Webmin is a web-based system administration tool for Unix. Usermin
	is a web interface that allows all users on a Unix system to
	easily receive mails and to perform SSH and mail forwarding
	configuration. 

	Internal communication between the parent process and the child 
	process using named pipes occur in these software packages during 
	creation or verification of a session ID, or during the setting 
	process of password timeouts. Because the control characters 
	contained in the data passed as authentication information are 
	not eliminated, it is possible to make Webmin and Usermin to 
	acknowledge the combination of any user and session ID specified 
	by an attacker. If the attacker could log into Webmin by using this 
	problem, there is a possibility that arbitrary commands may be 
	executed with root privileges. 

	The Common Vulnerabilities and Exposures (CVE) project has
        assigned the name CAN-2003-0101 to this issue. This is a
        candidate for inclusion in the CVE list (http://cve.mitre.org),
        which standardizes names for security problems.

	CAN-2003-0101 miniserv.pl in Webmin before 1.070 and Usermin before 
	1.000 does not properly handle metacharacters such as line feeds and 
	carriage returns (CRLF) in Base-64 encoded strings during Basic 
	authentication, which allows remote attackers to spoof a session ID 
	and gain root privileges.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to webmin-0.89-12.i386.rpm
	OpenLinux 3.1.1 Workstation	prior to webmin-0.89-12.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/RPMS

	4.2 Packages

	859d9998141394dc96f338087633814b	webmin-0.89-12.i386.rpm

	4.3 Installation

	rpm -Fvh webmin-0.89-12.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/SRPMS

	4.5 Source Packages

	81c76fa65b710248c8108ea17740d88d	webmin-0.89-12.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/RPMS

	5.2 Packages

	2c9048c8c623a9268b5233766890ea1c	webmin-0.89-12.i386.rpm

	5.3 Installation

	rpm -Fvh webmin-0.89-12.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/SRPMS

	5.5 Source Packages

	cda66a1795a1a3914041ae920a245381	webmin-0.89-12.src.rpm


6. References

	Specific references for this advisory:
		http://www.lac.co.jp/security/english/snsadv_e/53_e.html
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101


	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr882687 fz528142 erg712377.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank Keigo Yamazaki and Jamie Cameron for 	
	reporting this issue.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/uT+LbluZssSXDTERAtbcAJ9uRJYy8bBK11z9OStcBEzGSh1wggCfXC+w
nARQfC+cEIpatb0lNeChuDA=
=BAVd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC