118784 – (CVE-2005-3042) VUL-0: CVE-2005-3042: webmin remote code execution through PAM

Bug 118784 (CVE-2005-3042) - VUL-0: CVE-2005-3042: webmin remote code execution through PAM

Summary: VUL-0: CVE-2005-3042: webmin remote code execution through PAM

Status:	VERIFIED FIXED

Alias:	CVE-2005-3042

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other All

Priority:	P5 - None Severity: Major
Target Milestone:	---
Assignee:	Ihno Krumreich
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-3042: CVSS v2 Base Score: 7....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-09-26 12:43 UTC by Thomas Biege
Modified:	2021-11-12 10:12 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2005-09-26 12:43:23 UTC

Hello Ihno,
are we affected by this?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200509-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Webmin, Usermin: Remote code execution through PAM
            authentication
      Date: September 24, 2005
      Bugs: #106705
        ID: 200509-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

If Webmin or Usermin is configured to use full PAM conversations, it is
vulnerable to the remote execution of arbitrary code with root
privileges.

Background
==========

Webmin and Usermin are web-based system administration consoles. Webmin
allows an administrator to easily configure servers and other features.
Usermin allows users to configure their own accounts, execute commands,
and read e-mails.

Affected packages
=================

    -------------------------------------------------------------------
     Package            /  Vulnerable  /                    Unaffected
    -------------------------------------------------------------------
  1  app-admin/webmin        < 1.230                          >= 1.230
  2  app-admin/usermin       < 1.160                          >= 1.160
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Keigo Yamazaki discovered that the miniserv.pl webserver, used in both
Webmin and Usermin, does not properly validate authentication
credentials before sending them to the PAM (Pluggable Authentication
Modules) authentication process. The default configuration shipped with
Gentoo does not enable the "full PAM conversations" option and is
therefore unaffected by this flaw.

Impact
======

A remote attacker could bypass the authentication process and run any
command as the root user on the target server.

Workaround
==========

Do not enable "full PAM conversations" in the Authentication options of
Webmin and Usermin.

Resolution
==========

All Webmin users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.230
...



From: snsadv <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Subject: [SNS Advisory No.83] Webmin/Usermin PAM Authentication Bypass Vulnerability
Envelope-To: tom@electric-sheep.org

------------------------------------------------------------------
SNS Advisory No.83
Webmin/Usermin PAM Authentication Bypass Vulnerability

Problem first discovered on: Sun, 04 Sep 2005
Published on: Tue, 20 Sep 2005
------------------------------------------------------------------

Severity Level:
---------------
  High


Overview:
---------
  A vulnerability that could result in a session ID spoofing exists in
  miniserv.pl, which is a webserver program that gets both Webmin and
  Usermin to run.


Problem Description:
--------------------
  Webmin is a web-based system administration tool for Unix. Usermin
  is a web interface that allows all users on a Unix system to easily
  receive mails and to perform SSH and mail forwarding configuration.

  Miniserv.pl is a webserver program that  both Webmin and Usermin
  to run. Miniserv.pl carries out named pipe communication between the
  parent and the child process during the creation and Confirmation of
  effectiveness of a session ID (session used for access control via
  the Web).

  Miniserv.pl does not check whether metacharacters, such as line feed
  or carriage return, are included with user supplied strings during the
  PAM(Pluggable Authentication Modules) authentication process.

  Exploitation therefore, could make it possible for attackers to bypass
  authentication and execute arbitrary command as root.


Tested Versions:
----------------
  Webmin Version  : 1.220
  Usermin Version : 1.150


Solution:
---------
  This problem can be eliminated by upgrading to Webmin version 1.230 and
  to Usermin version 1.160, which are available at:

  http://www.webmin.com/


Discovered by:
--------------
  Keigo Yamazaki (LAC)


Thanks to:
----------
  This SNS Advisory is being published in coordination with Information-technology
  Promotion Agency, Japan (IPA) and JPCERT/CC.

  http://jvn.jp/jp/JVN%2340940493/index.html
  http://www.ipa.go.jp/security/vuln/documents/2005/JVN_40940493_webmin.html


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior
  notice and is provided as it is. Users shall take their own risk when
  taking any actions following reading this advisory. LAC Co., Ltd.
  shall take no responsibility for any problems, loss or damage caused
  by, or by the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html

Comment 5 Ihno Krumreich 2005-10-11 14:14:55 UTC

Gibt es da eine CAN-Nummer?

Comment 6 Ihno Krumreich 2005-10-11 14:15:34 UTC

SwampID 2564

Comment 7 Marcus Meissner 2005-10-11 14:36:18 UTC

CAN-2005-3042

Comment 8 Marcus Meissner 2005-10-13 10:46:43 UTC

fix for 9.0 is misisng?

Comment 9 Ihno Krumreich 2005-10-14 15:34:41 UTC

Kommt.

Comment 10 Ihno Krumreich 2005-10-18 10:12:25 UTC

Submitted packages and patchinfos for 9.0 and 9.1

Comment 11 Thomas Biege 2005-10-18 10:38:19 UTC

reassign to sec-team

Comment 12 Thomas Biege 2005-10-18 10:38:59 UTC

and leave it open for tracking.

Comment 13 Michael Schröder 2005-10-18 17:35:46 UTC

Is 9.0-x86_64 not affected? It is missing from the patchinfo file...

Comment 14 Marcus Meissner 2005-10-19 09:26:13 UTC

same goes for 9.1-x86-64 in the already checked in one.

Ihno, you have to create box patchinfos with edit_patchinfo -b webmin

you apparently filled out everything by hand...

Comment 15 Michael Schröder 2005-10-20 15:17:30 UTC

9.1-x86_64 did not have webmin. But 9.0-x86_64. Ihno, please fix the patchinfo.

Comment 16 Marcus Meissner 2005-10-21 08:22:07 UTC

updates released. thanks!

Comment 17 Ihno Krumreich 2005-10-24 09:28:11 UTC

Than close the bug!

Comment 18 Thomas Biege 2009-10-13 21:37:10 UTC

CVE-2005-3042: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)