6553207 2001-05-26 16:55 -0400 /140 rader/ J. Nick Koston <nick@burst.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-28 21:16 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17173>
Ärende: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: "J. Nick Koston" <nick@burst.net>
To: bugtraq@securityfocus.com
Message-ID: <20010526165535.B2704@burst.net>
Not sure if this is known, however I know I've seen quite a few people
still using webmin 0.84.
Webmin doesn't seem to clean the env properly when starting apache
(probably in other cases as well)
It leaves the var HTTP_AUTHORIZATION set. All you need to do is run
it though a mime 64 decode and you have the login and password to
webmin. (it also leaves SERVER_PORT set so there should be no problem
figuring out where the webmin is)
You can best see the effects by:
1. Kill Apache
2. Start Apache will webmin
3. Goto a <?php phpinfo() ?> page and look at the vars
The good news is that webmin 0.85 doesn't seem to have this problem
because if doesn't use the same type of auth. This only seems to
affect webmin 0.84 and earlier.
Nick
<snip from phpinfo (some vars removed to protect the innocent)>
PHP
Variables
Variable Value
PHP_SELF /test.php
HTTP_SERVER_VARS /usr/local/apache/htdocs
["DOCUMENT_ROOT"]
HTTP_SERVER_VARS text/*, image/*, audio/*, application/*
["HTTP_ACCEPT"]
HTTP_SERVER_VARS gzip, compress, bzip, bzip2, deflate
["HTTP_ACCEPT_ENCODING"]
HTTP_SERVER_VARS en; q=1.0
["HTTP_ACCEPT_LANGUAGE"]
HTTP_SERVER_VARS localhost
["HTTP_HOST"]
HTTP_SERVER_VARS w3m/0.2.1
["HTTP_USER_AGENT"]
HTTP_SERVER_VARS["PATH"]
/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
HTTP_SERVER_VARS 127.0.0.1
["REMOTE_ADDR"]
HTTP_SERVER_VARS 56523
["REMOTE_PORT"]
HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php
["SCRIPT_FILENAME"]
HTTP_SERVER_VARS 127.0.0.1
["SERVER_ADDR"]
HTTP_SERVER_VARS 80
["SERVER_PORT"]
HTTP_SERVER_VARS Apache/1.3.17 (Unix) PHP/4.0.4pl1
["SERVER_SOFTWARE"]
HTTP_SERVER_VARS CGI/1.1
["GATEWAY_INTERFACE"]
HTTP_SERVER_VARS HTTP/1.0
["SERVER_PROTOCOL"]
HTTP_SERVER_VARS GET
["REQUEST_METHOD"]
HTTP_SERVER_VARS
["QUERY_STRING"]
HTTP_SERVER_VARS /test.php
["REQUEST_URI"]
HTTP_SERVER_VARS /usr/local/apache/htdocs/test.php
["PATH_TRANSLATED"]
HTTP_SERVER_VARS /test.php
["PHP_SELF"]
HTTP_SERVER_VARS["argv"] Array
(
)
HTTP_SERVER_VARS["argc"] 0
HTTP_ENV_VARS 10000
["SERVER_PORT"]
HTTP_ENV_VARS CGI/1.1
["GATEWAY_INTERFACE"]
HTTP_ENV_VARS["PWD"] /root/webmin-0.84/apache/
HTTP_ENV_VARS Mozilla/5.0 (X11; U; Linux 2.4.2 i686;
en-US;
["HTTP_USER_AGENT"] rv:0.9) Gecko/20010505
HTTP_ENV_VARS["PATH_INFO"]
HTTP_ENV_VARS http://localhost:10000/apache/
["HTTP_REFERER"]
HTTP_ENV_VARS["HTTP_HOST"] localhost:10000
HTTP_ENV_VARS Basic YWRtaW46ZGF2ZQ==
["HTTP_AUTHORIZATION"]
HTTP_ENV_VARS keep-alive
["HTTP_CONNECTION"]
HTTP_ENV_VARS["WEBMIN_VAR"] /var/webmin
HTTP_ENV_VARS gzip,deflate,compress,identity
["HTTP_ACCEPT_ENCODING"]
HTTP_ENV_VARS /root/webmin-0.84
["SERVER_ROOT"]
....
(6553207) /J. Nick Koston <nick@burst.net>/---------
6557828 2001-05-29 16:14 +0200 /39 rader/ Marcus Meissner <Marcus.Meissner@caldera.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-29 19:21 av Brevbäraren
Extern mottagare: J. Nick Koston <nick@burst.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17193>
Kommentar till text 6553207 av J. Nick Koston <nick@burst.net>
Ärende: Re: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: Marcus Meissner <Marcus.Meissner@caldera.de>
To: "J. Nick Koston" <nick@burst.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20010529161406.A25789@caldera.de>
On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
>
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
>
> It leaves the var HTTP_AUTHORIZATION set. All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin. (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)
This is also a problem with newer versions.
While it now uses a Cookie to save authorization information, this
cookie is passed to apache as environment variable and could be
queried, environment variable is:
HTTP_COOKIE=sid=1054633991
If you have this session id, you can attach to a running webmin
session easily (for instance if the administrator forgot to logoff
and just quitted his browser or has it still open).
Ciao, Marcus
--
_____ ___
/ __/____/ / Caldera (Deutschland) GmbH
/ /_/ __ / /__ Naegelsbachstr. 49c, 91052 Erlangen
/_____//_/ /____/ Dipl. Inf. Marcus Meissner, email: mm@caldera.de
==== /_____/ ====== phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
Caldera OpenLinux
(6557828) /Marcus Meissner <Marcus.Meissner@caldera.de>/(Ombruten)
6563944 2001-05-28 12:43 -0700 /38 rader/ Eugene Tsyrklevich <eugene@securityarchitects.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-31 01:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17210>
Kommentar till text 6553207 av J. Nick Koston <nick@burst.net>
Ärende: Re: Webmin Doesn't Clean Env (root exploit)
------------------------------------------------------------
From: Eugene Tsyrklevich <eugene@securityarchitects.com>
To: bugtraq@securityfocus.com
Message-ID: <20010528124313.B11621@securityarchitects.com>
I have also found several security bugs in the older webmin releases
(< 0.82). If you are still running an older version, you are
_strongly_ recommended to upgrade. Some of the bugs found included
execution of arbitrary commands and arbitrary directory
traversals. The bugs were fixed in webmin 0.82.
eugene
On Sat, May 26, 2001 at 04:55:35PM -0400, J. Nick Koston wrote:
> Not sure if this is known, however I know I've seen quite a few people
> still using webmin 0.84.
>
> Webmin doesn't seem to clean the env properly when starting apache
> (probably in other cases as well)
>
> It leaves the var HTTP_AUTHORIZATION set. All you need to do is run
> it though a mime 64 decode and you have the login and password to
> webmin. (it also leaves SERVER_PORT set so there should be no problem
> figuring out where the webmin is)
>
> You can best see the effects by:
>
> 1. Kill Apache
> 2. Start Apache will webmin
> 3. Goto a <?php phpinfo() ?> page and look at the vars
>
> The good news is that webmin 0.85 doesn't seem to have this problem
> because if doesn't use the same type of auth. This only seems to
> affect webmin 0.84 and earlier.
>
>
> Nick
(6563944) /Eugene Tsyrklevich <eugene@securityarchitects.com>/(Ombruten)