[SNS Advisory No.53] Webmin/Usermin Session ID Spoofing Vulnerability

From:	 "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To:	 bugtraq@securityfocus.com
Subject: [SNS Advisory No.53] Webmin/Usermin Session ID Spoofing Vulnerability
Date:	 Wed, 08 May 2002 14:20:32 +0900

----------------------------------------------------------------------
SNS Advisory No.53
Webmin/Usermin Session ID Spoofing Vulnerability

Problem first discovered: Sat, 4 May 2002
Published: Tue, 7 May 2002
----------------------------------------------------------------------

Overview:
---------
  A vulnerability lies in the communication between the parent process 
  and the child process of Webmin and Usermin, which could allow an 
  attacker to spoof a session ID as any user already logged in.  This 
  results in the possibility for users who are not logged in, to be able
  to use these software tools.

Description:
------------
  Webmin is a web-based system administration tool for Unix.  Usermin 
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration.
  
  Internal communication between the parent process and the child process
  using named pipes occur in these software packages during creation or 
  verification of a session ID, or during the setting process of password
  timeouts.  Because the control characters contained in the data passed 
  as authentication information are not eliminated, it is possible to make 
  Webmin and Usermin to acknowledge the combination of any user and session 
  ID specified by an attacker. If the attacker could log into Webmin by 
  using this problem, there is a possibility that arbitrary commands may be 
  executed with root privileges.

  [Preconditions for a successful exploit]

  In the case of Webmin :

  * Webmin->Configuration->Authentication
    "Enable password timeouts" is enabled
  * if a valid Webmin username is known
    by default, user "admin" exists and this user can use all the 
    functions, including command shell

  In the case of Usermin:

  * if password timeout is enabled
  * if a valid Usermin username is known

Tested Versions:
----------------
  Webmin Version: 0.960
  Usermin Version: 0.90

Solution:
---------
  This problem can be eliminated by upgrading to Webmin version 0.970/ 
  Usermin version 0.910, which are available at:

  http://www.webmin.com/

Discovered by:
--------------
  Keigo Yamazaki

Disclaimer:
-----------
  All information in these advisories are subject to change without any 
  advanced notices neither mutual consensus, and each of them is released 
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences 
  caused by applying those information.