6553207 2001-05-26 16:55 -0400  /140 rader/ J. Nick Koston <nick@burst.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-28  21:16  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17173>
Ärende: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: "J. Nick Koston" <nick@burst.net>
To: bugtraq@securityfocus.com
Message-ID: <20010526165535.B2704@burst.net>

Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.

Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)

It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin.  (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)

You can best see the effects by:

1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars

The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth.  This only seems to
affect webmin 0.84 and earlier.


            Nick

<snip from phpinfo (some vars removed to protect the innocent)>

                                                                  PHP
Variables
                                    
         Variable                                Value
                                    
PHP_SELF                    /test.php
                                    
HTTP_SERVER_VARS            /usr/local/apache/htdocs
["DOCUMENT_ROOT"]                   
                                    
HTTP_SERVER_VARS            text/*, image/*, audio/*, application/*
["HTTP_ACCEPT"]                     
                                    
HTTP_SERVER_VARS            gzip, compress, bzip, bzip2, deflate
["HTTP_ACCEPT_ENCODING"]            
                                    
HTTP_SERVER_VARS            en; q=1.0
["HTTP_ACCEPT_LANGUAGE"]            
                                    
HTTP_SERVER_VARS            localhost
["HTTP_HOST"]                       
                             
HTTP_SERVER_VARS            w3m/0.2.1
["HTTP_USER_AGENT"]     

HTTP_SERVER_VARS["PATH"]
/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin

HTTP_SERVER_VARS            127.0.0.1 
["REMOTE_ADDR"]
                       
HTTP_SERVER_VARS            56523
["REMOTE_PORT"]               

HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
["SCRIPT_FILENAME"]
                              
HTTP_SERVER_VARS            127.0.0.1
["SERVER_ADDR"]           

HTTP_SERVER_VARS            80                             
["SERVER_PORT"]
                                                
HTTP_SERVER_VARS            Apache/1.3.17 (Unix) PHP/4.0.4pl1
["SERVER_SOFTWARE"]                 
                                     
HTTP_SERVER_VARS            CGI/1.1 
["GATEWAY_INTERFACE"]                               
                                    
HTTP_SERVER_VARS            HTTP/1.0
["SERVER_PROTOCOL"]                                                
                                    
HTTP_SERVER_VARS            GET     
["REQUEST_METHOD"]                                              
                                    
HTTP_SERVER_VARS                    
["QUERY_STRING"]                     
                                    
HTTP_SERVER_VARS            /test.php
["REQUEST_URI"]                      
                        
HTTP_SERVER_VARS            /usr/local/apache/htdocs/test.php
["PATH_TRANSLATED"]                                                     

HTTP_SERVER_VARS            /test.php 
["PHP_SELF"]    
                       
HTTP_SERVER_VARS["argv"]    Array
                            ( 
                            )
                                                             
HTTP_SERVER_VARS["argc"]    0
                              
HTTP_ENV_VARS               10000    
["SERVER_PORT"]           

HTTP_ENV_VARS               CGI/1.1                     
["GATEWAY_INTERFACE"]
                                                                 
HTTP_ENV_VARS["PWD"]        /root/webmin-0.84/apache/
                                
HTTP_ENV_VARS               Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
en-US;
["HTTP_USER_AGENT"]         rv:0.9) Gecko/20010505         
                
HTTP_ENV_VARS["PATH_INFO"]                      
                 
HTTP_ENV_VARS               http://localhost:10000/apache/              
["HTTP_REFERER"]                                                           
                                    
HTTP_ENV_VARS["HTTP_HOST"]  localhost:10000                  
                                    
HTTP_ENV_VARS               Basic YWRtaW46ZGF2ZQ==
["HTTP_AUTHORIZATION"]              
                                                    
HTTP_ENV_VARS               keep-alive
["HTTP_CONNECTION"]                 
                                                                   
HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin
                                    
HTTP_ENV_VARS               gzip,deflate,compress,identity      
["HTTP_ACCEPT_ENCODING"]            
                                    
HTTP_ENV_VARS               /root/webmin-0.84
["SERVER_ROOT"]                      
                                    

....
(6553207) /J. Nick Koston <nick@burst.net>/---------
6557828 2001-05-29 16:14 +0200  /39 rader/ Marcus Meissner <Marcus.Meissner@caldera.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-29  19:21  av Brevbäraren
Extern mottagare: J. Nick Koston <nick@burst.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17193>
Kommentar till text 6553207 av J. Nick Koston <nick@burst.net>
Ärende: Re: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: Marcus Meissner <Marcus.Meissner@caldera.de>
To: "J. Nick Koston" <nick@burst.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20010529161406.A25789@caldera.de>

On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
> 
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
> 
> It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin.  (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)

This is also a problem with newer versions.

While it now uses a Cookie to save authorization information, this
cookie is passed to apache as environment variable and could be
queried, environment variable is:

	HTTP_COOKIE=sid=1054633991

If you have this session id, you can attach to a running webmin
session easily (for instance if the administrator forgot to logoff
and just quitted his browser or has it still open).

Ciao, Marcus
-- 
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm@caldera.de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux
(6557828) /Marcus Meissner <Marcus.Meissner@caldera.de>/(Ombruten)
6563944 2001-05-28 12:43 -0700  /38 rader/ Eugene Tsyrklevich <eugene@securityarchitects.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-31  01:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17210>
Kommentar till text 6553207 av J. Nick Koston <nick@burst.net>
Ärende: Re: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: Eugene Tsyrklevich <eugene@securityarchitects.com>
To: bugtraq@securityfocus.com
Message-ID: <20010528124313.B11621@securityarchitects.com>

I have also found several security bugs in the older webmin releases
(< 0.82).  If you are still running an older version, you are
_strongly_ recommended to upgrade. Some of the bugs found included
execution of arbitrary commands and arbitrary directory
traversals. The bugs were fixed in webmin 0.82.

eugene


On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
> 
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
> 
> It leaves the var HTTP_AUTHORIZATION set.  All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin.  (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)
> 
> You can best see the effects by:
> 
> 1. Kill Apache
> 2. Start Apache will webmin
> 3. Goto a <?php phpinfo() ?> page and look at the vars
> 
> The good news is that webmin 0.85 doesn't seem to have this problem
> because if doesn't use the same type of auth.  This only seems to
> affect webmin 0.84 and earlier.
> 
> 
>             Nick
(6563944) /Eugene Tsyrklevich <eugene@securityarchitects.com>/(Ombruten)