<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx security-alerts@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: Webmin/Usermin Session ID Spoofing 
Vulnerability
Advisory number:        CSSA-2003-035.0
Issue date:             2003 November 17
Cross reference:        sr882687 fz528142 erg712377 CAN-2003-0101
______________________________________________________________________________


1. Problem Description

        Webmin is a web-based system administration tool for Unix. Usermin
        is a web interface that allows all users on a Unix system to
        easily receive mails and to perform SSH and mail forwarding
        configuration. 

        Internal communication between the parent process and the child 
        process using named pipes occur in these software packages during 
        creation or verification of a session ID, or during the setting 
        process of password timeouts. Because the control characters 
        contained in the data passed as authentication information are 
        not eliminated, it is possible to make Webmin and Usermin to 
        acknowledge the combination of any user and session ID specified 
        by an attacker. If the attacker could log into Webmin by using this 
        problem, there is a possibility that arbitrary commands may be 
        executed with root privileges. 

        The Common Vulnerabilities and Exposures (CVE) project has
        assigned the name CAN-2003-0101 to this issue. This is a
        candidate for inclusion in the CVE list (http://cve.mitre.org),
        which standardizes names for security problems.

        CAN-2003-0101 miniserv.pl in Webmin before 1.070 and Usermin before 
        1.000 does not properly handle metacharacters such as line feeds and 
        carriage returns (CRLF) in Base-64 encoded strings during Basic 
        authentication, which allows remote attackers to spoof a session ID 
        and gain root privileges.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to webmin-0.89-12.i386.rpm
        OpenLinux 3.1.1 Workstation     prior to webmin-0.89-12.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/RPMS

        4.2 Packages

        859d9998141394dc96f338087633814b        webmin-0.89-12.i386.rpm

        4.3 Installation

        rpm -Fvh webmin-0.89-12.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-035.0/SRPMS

        4.5 Source Packages

        81c76fa65b710248c8108ea17740d88d        webmin-0.89-12.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/RPMS

        5.2 Packages

        2c9048c8c623a9268b5233766890ea1c        webmin-0.89-12.i386.rpm

        5.3 Installation

        rpm -Fvh webmin-0.89-12.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-035.0/SRPMS

        5.5 Source Packages

        cda66a1795a1a3914041ae920a245381        webmin-0.89-12.src.rpm


6. References

        Specific references for this advisory:
                http://www.lac.co.jp/security/english/snsadv_e/53_e.html
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101


        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr882687 fz528142 erg712377.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgements

        SCO would like to thank Keigo Yamazaki and Jamie Cameron for    
        reporting this issue.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/uT+LbluZssSXDTERAtbcAJ9uRJYy8bBK11z9OStcBEzGSh1wggCfXC+w
nARQfC+cEIpatb0lNeChuDA=
=BAVd
-----END PGP SIGNATURE-----