Webmin/Usermin PAM Authentication Bypass Vulnerability

2005.09.22
Credit: Keigo Yamazaki (LAC)
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2005-3042
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

------------------------------------------------------------------ SNS Advisory No.83 Webmin/Usermin PAM Authentication Bypass Vulnerability Problem first discovered on: Sun, 04 Sep 2005 Published on: Tue, 20 Sep 2005 ------------------------------------------------------------------ Severity Level: --------------- High Overview: --------- A vulnerability that could result in a session ID spoofing exists in miniserv.pl, which is a webserver program that gets both Webmin and Usermin to run. Problem Description: -------------------- Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Miniserv.pl is a webserver program that both Webmin and Usermin to run. Miniserv.pl carries out named pipe communication between the parent and the child process during the creation and Confirmation of effectiveness of a session ID (session used for access control via the Web). Miniserv.pl does not check whether metacharacters, such as line feed or carriage return, are included with user supplied strings during the PAM(Pluggable Authentication Modules) authentication process. Exploitation therefore, could make it possible for attackers to bypass authentication and execute arbitrary command as root. Tested Versions: ---------------- Webmin Version : 1.220 Usermin Version : 1.150 Solution: --------- This problem can be eliminated by upgrading to Webmin version 1.230 and to Usermin version 1.160, which are available at: http://www.webmin.com/ Discovered by: -------------- Keigo Yamazaki (LAC) Thanks to: ---------- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%2340940493/index.html http://www.ipa.go.jp/security/vuln/documents/2005/JVN_40940493_webmin.ht ml Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top