COMMAND
Webmin/Usermin Session ID Spoofing Vulnerability
SYSTEMS AFFECTED
Webmin Version: 0.960
Usermin Version: 0.90
PROBLEM
Keigo Yamazaki of LAC Co.,Ltd [http://www.lac.co.jp/] found :
Webmin is a web-based system administration tool for Unix. Usermin is a
web interface that allows all users on a Unix system to easily receive
mails and to perform SSH and mail forwarding configuration.
Internal communication between the parent process and the child process
using named pipes occur in these software packages during creation or
verification of a session ID, or during the setting process of password
timeouts. Because the control characters contained in the data passed
as authentication information are not eliminated, it is possible to
make Webmin and Usermin to acknowledge the combination of any user and
session ID specified by an attacker. If the attacker could log into
Webmin by using this problem, there is a possibility that arbitrary
commands may be executed with root privileges.
[Preconditions for a successful exploit]
In the case of Webmin :
* Webmin->Configuration->Authentication
"Enable password timeouts" is enabled
* if a valid Webmin username is known
by default, user "admin" exists and this user can use all the
functions, including command shell
In the case of Usermin:
* if password timeout is enabled
* if a valid Usermin username is known
SOLUTION
This problem can be eliminated by upgrading to Webmin version 0.970/
Usermin version 0.910, which are available at:
http://www.webmin.com/