Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 106705

Summary: app-admin/{usermin|webmin}: PAM Authentication Bypass Vulnerability and possible code execution
Product: Gentoo Security Reporter: Jean-Fran├žois Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: eradicator
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/16858/
Whiteboard: C1? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-Fran├žois Brunette (RETIRED) gentoo-dev 2005-09-20 11:19:08 UTC
Description:
A vulnerability has been reported in Webmin and Usermin, which can be exploited
by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error in the authentication
process. This can be exploited to access Webmin or Usermin without providing a
valid username and password.

Successful exploitation requires that full PAM conversations has been enabled
via the Authentication page (not default setting).

The vulnerability has been reported in Webmin versions prior to 1.230 and
Usermin versions prior to 1.160.

Solution:
Usermin:
Update to version 1.160.
http://www.webmin.com/udownload.html

Webmin:
Update to version 1.230.
http://www.webmin.com/download.html
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-20 23:37:15 UTC
Please advise and bump as necessary.  
  
I assume that "Support full PAM conversations" is not enabled as default. 
 
http://www.webmin.com/changes.html  
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2005-09-21 01:05:39 UTC
We don't support pam in webmin because of bug #62123, so it is certainly off by
default.  I'll bump webmin/usermin in a few...
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-21 12:52:09 UTC
Just posted to BugTraq seems to indicate that this is worse than first 
expected: 
 
Overview: 
--------- 
  A vulnerability that could result in a session ID spoofing exists in  
  miniserv.pl, which is a webserver program that gets both Webmin and  
  Usermin to run. 
 
 
Problem Description: 
-------------------- 
  Webmin is a web-based system administration tool for Unix. Usermin 
  is a web interface that allows all users on a Unix system to easily 
  receive mails and to perform SSH and mail forwarding configuration. 
 
  Miniserv.pl is a webserver program that  both Webmin and Usermin 
  to run. Miniserv.pl carries out named pipe communication between the  
  parent and the child process during the creation and Confirmation of  
  effectiveness of a session ID (session used for access control via  
  the Web). 
 
  Miniserv.pl does not check whether metacharacters, such as line feed  
  or carriage return, are included with user supplied strings during the  
  PAM(Pluggable Authentication Modules) authentication process. 
 
  Exploitation therefore, could make it possible for attackers to bypass 
  authentication and execute arbitrary command as root. 
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2005-09-21 16:58:46 UTC
alpha: mark both
hppa: mark both
mips: mark webmin
ppc: mark both
ppc64: mark both
s390: mark webmin

Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-09-22 00:09:23 UTC
stable on ppc64
Comment 6 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-22 07:19:05 UTC
Both stable on alpha

Cheers,
Ferdy
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-22 11:01:58 UTC
Stable on ppc and hppa
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-24 04:00:50 UTC
GLSA 200509-17
mips should mark webmin ~ to benefit from GLSA