6553207 2001-05-26 16:55 -0400 /140 rader/ J. Nick Koston <nick@burst.net> Sänt av: joel@lysator.liu.se Importerad: 2001-05-28 21:16 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17173> Ärende: Webmin Doesn't Clean Env (root exploit) ------------------------------------------------------------ From: "J. Nick Koston" <nick@burst.net> To: bugtraq@securityfocus.com Message-ID: <20010526165535.B2704@burst.net> Not sure if this is known, however I know I've seen quite a few people still using webmin 0.84. Webmin doesn't seem to clean the env properly when starting apache (probably in other cases as well) It leaves the var HTTP_AUTHORIZATION set. All you need to do is run it though a mime 64 decode and you have the login and password to webmin. (it also leaves SERVER_PORT set so there should be no problem figuring out where the webmin is) You can best see the effects by: 1. Kill Apache 2. Start Apache will webmin 3. Goto a <?php phpinfo() ?> page and look at the vars The good news is that webmin 0.85 doesn't seem to have this problem because if doesn't use the same type of auth. This only seems to affect webmin 0.84 and earlier. Nick <snip from phpinfo (some vars removed to protect the innocent)> PHP Variables Variable Value PHP_SELF /test.php HTTP_SERVER_VARS /usr/local/apache/htdocs ["DOCUMENT_ROOT"] HTTP_SERVER_VARS text/*, image/*, audio/*, application/* ["HTTP_ACCEPT"] HTTP_SERVER_VARS gzip, compress, bzip, bzip2, deflate ["HTTP_ACCEPT_ENCODING"] HTTP_SERVER_VARS en; q=1.0 ["HTTP_ACCEPT_LANGUAGE"] HTTP_SERVER_VARS localhost ["HTTP_HOST"] HTTP_SERVER_VARS w3m/0.2.1 ["HTTP_USER_AGENT"] HTTP_SERVER_VARS["PATH"] /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin HTTP_SERVER_VARS 127.0.0.1 ["REMOTE_ADDR"] HTTP_SERVER_VARS 56523 ["REMOTE_PORT"] HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php ["SCRIPT_FILENAME"] HTTP_SERVER_VARS 127.0.0.1 ["SERVER_ADDR"] HTTP_SERVER_VARS 80 ["SERVER_PORT"] HTTP_SERVER_VARS Apache/1.3.17 (Unix) PHP/4.0.4pl1 ["SERVER_SOFTWARE"] HTTP_SERVER_VARS CGI/1.1 ["GATEWAY_INTERFACE"] HTTP_SERVER_VARS HTTP/1.0 ["SERVER_PROTOCOL"] HTTP_SERVER_VARS GET ["REQUEST_METHOD"] HTTP_SERVER_VARS ["QUERY_STRING"] HTTP_SERVER_VARS /test.php ["REQUEST_URI"] HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php ["PATH_TRANSLATED"] HTTP_SERVER_VARS /test.php ["PHP_SELF"] HTTP_SERVER_VARS["argv"] Array ( ) HTTP_SERVER_VARS["argc"] 0 HTTP_ENV_VARS 10000 ["SERVER_PORT"] HTTP_ENV_VARS CGI/1.1 ["GATEWAY_INTERFACE"] HTTP_ENV_VARS["PWD"] /root/webmin-0.84/apache/ HTTP_ENV_VARS Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; ["HTTP_USER_AGENT"] rv:0.9) Gecko/20010505 HTTP_ENV_VARS["PATH_INFO"] HTTP_ENV_VARS http://localhost:10000/apache/ ["HTTP_REFERER"] HTTP_ENV_VARS["HTTP_HOST"] localhost:10000 HTTP_ENV_VARS Basic YWRtaW46ZGF2ZQ== ["HTTP_AUTHORIZATION"] HTTP_ENV_VARS keep-alive ["HTTP_CONNECTION"] HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin HTTP_ENV_VARS gzip,deflate,compress,identity ["HTTP_ACCEPT_ENCODING"] HTTP_ENV_VARS /root/webmin-0.84 ["SERVER_ROOT"] .... (6553207) /J. Nick Koston <nick@burst.net>/--------- 6557828 2001-05-29 16:14 +0200 /39 rader/ Marcus Meissner <Marcus.Meissner@caldera.de> Sänt av: joel@lysator.liu.se Importerad: 2001-05-29 19:21 av Brevbäraren Extern mottagare: J. Nick Koston <nick@burst.net> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17193> Kommentar till text 6553207 av J. Nick Koston <nick@burst.net> Ärende: Re: Webmin Doesn't Clean Env (root exploit) ------------------------------------------------------------ From: Marcus Meissner <Marcus.Meissner@caldera.de> To: "J. Nick Koston" <nick@burst.net> Cc: bugtraq@securityfocus.com Message-ID: <20010529161406.A25789@caldera.de> On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote: > Not sure if this is known, however I know I've seen quite a few people > still using webmin 0.84. > > Webmin doesn't seem to clean the env properly when starting apache > (probably in other cases as well) > > It leaves the var HTTP_AUTHORIZATION set. All you need to do is run > it though a mime 64 decode and you have the login and password to > webmin. (it also leaves SERVER_PORT set so there should be no problem > figuring out where the webmin is) This is also a problem with newer versions. While it now uses a Cookie to save authorization information, this cookie is passed to apache as environment variable and could be queried, environment variable is: HTTP_COOKIE=sid=1054633991 If you have this session id, you can attach to a running webmin session easily (for instance if the administrator forgot to logoff and just quitted his browser or has it still open). Ciao, Marcus -- _____ ___ / __/____/ / Caldera (Deutschland) GmbH / /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen /_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de ==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399 Caldera OpenLinux (6557828) /Marcus Meissner <Marcus.Meissner@caldera.de>/(Ombruten) 6563944 2001-05-28 12:43 -0700 /38 rader/ Eugene Tsyrklevich <eugene@securityarchitects.com> Sänt av: joel@lysator.liu.se Importerad: 2001-05-31 01:04 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17210> Kommentar till text 6553207 av J. Nick Koston <nick@burst.net> Ärende: Re: Webmin Doesn't Clean Env (root exploit) ------------------------------------------------------------ From: Eugene Tsyrklevich <eugene@securityarchitects.com> To: bugtraq@securityfocus.com Message-ID: <20010528124313.B11621@securityarchitects.com> I have also found several security bugs in the older webmin releases (< 0.82). If you are still running an older version, you are _strongly_ recommended to upgrade. Some of the bugs found included execution of arbitrary commands and arbitrary directory traversals. The bugs were fixed in webmin 0.82. eugene On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote: > Not sure if this is known, however I know I've seen quite a few people > still using webmin 0.84. > > Webmin doesn't seem to clean the env properly when starting apache > (probably in other cases as well) > > It leaves the var HTTP_AUTHORIZATION set. All you need to do is run > it though a mime 64 decode and you have the login and password to > webmin. (it also leaves SERVER_PORT set so there should be no problem > figuring out where the webmin is) > > You can best see the effects by: > > 1. Kill Apache > 2. Start Apache will webmin > 3. Goto a <?php phpinfo() ?> page and look at the vars > > The good news is that webmin 0.85 doesn't seem to have this problem > because if doesn't use the same type of auth. This only seems to > affect webmin 0.84 and earlier. > > > Nick (6563944) /Eugene Tsyrklevich <eugene@securityarchitects.com>/(Ombruten)