Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106705 - app-admin/{usermin|webmin}: PAM Authentication Bypass Vulnerability and possible code execution
Summary: app-admin/{usermin|webmin}: PAM Authentication Bypass Vulnerability and possi...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/16858/
Whiteboard: C1? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-20 11:19 UTC by Jean-François Brunette (RETIRED)
Modified: 2019-11-30 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-09-20 11:19:08 UTC 
Description:
A vulnerability has been reported in Webmin and Usermin, which can be exploited
by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error in the authentication
process. This can be exploited to access Webmin or Usermin without providing a
valid username and password.

Successful exploitation requires that full PAM conversations has been enabled
via the Authentication page (not default setting).

The vulnerability has been reported in Webmin versions prior to 1.230 and
Usermin versions prior to 1.160.

Solution:
Usermin:
Update to version 1.160.
http://www.webmin.com/udownload.html

Webmin:
Update to version 1.230.
http://www.webmin.com/download.html
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-20 23:37:15 UTC 
Please advise and bump as necessary.  
  
I assume that "Support full PAM conversations" is not enabled as default. 
 
http://www.webmin.com/changes.html
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2005-09-21 01:05:39 UTC 
We don't support pam in webmin because of bug #62123, so it is certainly off by
default.  I'll bump webmin/usermin in a few...
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-21 12:52:09 UTC 
Just posted to BugTraq seems to indicate that this is worse than first 
expected: 
 
Overview: 
--------- 
  A vulnerability that could result in a session ID spoofing exists in  
  miniserv.pl, which is a webserver program that gets both Webmin and  
  Usermin to run. 
 
 
Problem Description: 
-------------------- 
  Webmin is a web-based system administration tool for Unix. Usermin 
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration. 
 
  Miniserv.pl is a webserver program that  both Webmin and Usermin 
  to run. Miniserv.pl carries out named pipe communication between the  
  parent and the child process during the creation and Confirmation of  
  effectiveness of a session ID (session used for access control via  
  the Web). 
 
  Miniserv.pl does not check whether metacharacters, such as line feed  
  or carriage return, are included with user supplied strings during the  
  PAM(Pluggable Authentication Modules) authentication process. 
 
  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root.
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2005-09-21 16:58:46 UTC 
alpha: mark both
hppa: mark both
mips: mark webmin
ppc: mark both
ppc64: mark both
s390: mark webmin
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-09-22 00:09:23 UTC 
stable on ppc64
Comment 6 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-22 07:19:05 UTC 
Both stable on alpha

Cheers,
Ferdy
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-22 11:01:58 UTC 
Stable on ppc and hppa
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-24 04:00:50 UTC 
GLSA 200509-17
mips should mark webmin ~ to benefit from GLSA