------------------------------------------------------------------
SNS Advisory No.83
Webmin/Usermin PAM Authentication Bypass Vulnerability
Problem first discovered on: Sun, 04 Sep 2005
Published on: Tue, 20 Sep 2005
------------------------------------------------------------------
Severity Level:
---------------
High
Overview:
---------
A vulnerability that could result in a session ID spoofing exists in
miniserv.pl, which is a webserver program that gets both Webmin and
Usermin to run.
Problem Description:
--------------------
Webmin is a web-based system administration tool for Unix. Usermin
is a web interface that allows all users on a Unix system to easily
receive mails and to perform SSH and mail forwarding configuration.
Miniserv.pl is a webserver program that both Webmin and Usermin
to run. Miniserv.pl carries out named pipe communication between the
parent and the child process during the creation and Confirmation of
effectiveness of a session ID (session used for access control via
the Web).
Miniserv.pl does not check whether metacharacters, such as line feed
or carriage return, are included with user supplied strings during the
PAM(Pluggable Authentication Modules) authentication process.
Exploitation therefore, could make it possible for attackers to bypass
authentication and execute arbitrary command as root.
Tested Versions:
----------------
Webmin Version : 1.220
Usermin Version : 1.150
Solution:
---------
This problem can be eliminated by upgrading to Webmin version 1.230 and
to Usermin version 1.160, which are available at:
http://www.webmin.com/
Discovered by:
--------------
Keigo Yamazaki (LAC)
Thanks to:
----------
This SNS Advisory is being published in coordination with Information-technology
Promotion Agency, Japan (IPA) and JPCERT/CC.
http://jvn.jp/jp/JVN%2340940493/index.html
http://www.ipa.go.jp/security/vuln/documents/2005/JVN_40940493_webmin.ht
ml
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html