[gentoo-announce] [ GLSA 200509-17 ] Webmin, Usermin: Remote code execution through PAM authentication - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200509-17 ] Webmin, Usermin: Remote code execution through PAM authentication
Date:	Sat, 24 Sep 2005 11:01:18
Message-Id:	`43352F2E.5070603@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200509-17

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Webmin, Usermin: Remote code execution through PAM

9

            authentication

10

      Date: September 24, 2005

11

      Bugs: #106705

12

        ID: 200509-17

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

If Webmin or Usermin is configured to use full PAM conversations, it is

20

vulnerable to the remote execution of arbitrary code with root

21

privileges.

22

23

Background

24

==========

25

26

Webmin and Usermin are web-based system administration consoles. Webmin

27

allows an administrator to easily configure servers and other features.

28

Usermin allows users to configure their own accounts, execute commands,

29

and read e-mails.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package            /  Vulnerable  /                    Unaffected

36

    -------------------------------------------------------------------

37

  1  app-admin/webmin        < 1.230                          >= 1.230

38

  2  app-admin/usermin       < 1.160                          >= 1.160

39

    -------------------------------------------------------------------

40

     2 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

Keigo Yamazaki discovered that the miniserv.pl webserver, used in both

47

Webmin and Usermin, does not properly validate authentication

48

credentials before sending them to the PAM (Pluggable Authentication

49

Modules) authentication process. The default configuration shipped with

50

Gentoo does not enable the "full PAM conversations" option and is

51

therefore unaffected by this flaw.

52

53

Impact

54

======

55

56

A remote attacker could bypass the authentication process and run any

57

command as the root user on the target server.

58

59

Workaround

60

==========

61

62

Do not enable "full PAM conversations" in the Authentication options of

63

Webmin and Usermin.

64

65

Resolution

66

==========

67

68

All Webmin users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.230"

72

73

All Usermin users should upgrade to the latest version:

74

75

    # emerge --sync

76

    # emerge --ask --oneshot --verbose ">=app-admin/usermin-1.160"

77

78

References

79

==========

80

81

  [ 1 ] CAN-2005-3042

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3042

83

  [ 2 ] Original Advisory

84

85

http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html

86

87

Availability

88

============

89

90

This GLSA and any updates to it are available for viewing at

91

the Gentoo Security Website:

92

93

  http://security.gentoo.org/glsa/glsa-200509-17.xml

94

95

Concerns?

96

=========

97

98

Security is a primary focus of Gentoo Linux and ensuring the

99

confidentiality and security of our users machines is of utmost

100

importance to us. Any security concerns should be addressed to

101

security@g.o or alternatively, you may file a bug at

102

http://bugs.gentoo.org.

103

104

License

105

=======

106

107

Copyright 2005 Gentoo Foundation, Inc; referenced text

108

belongs to its owner(s).

109

110

The contents of this document are licensed under the

111

Creative Commons - Attribution / Share Alike license.

112

113

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200509-17
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Webmin, Usermin: Remote code execution through PAM
9	authentication
10	Date: September 24, 2005
11	Bugs: #106705
12	ID: 200509-17
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	If Webmin or Usermin is configured to use full PAM conversations, it is
20	vulnerable to the remote execution of arbitrary code with root
21	privileges.
22
23	Background
24	==========
25
26	Webmin and Usermin are web-based system administration consoles. Webmin
27	allows an administrator to easily configure servers and other features.
28	Usermin allows users to configure their own accounts, execute commands,
29	and read e-mails.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 app-admin/webmin < 1.230 >= 1.230
38	2 app-admin/usermin < 1.160 >= 1.160
39	-------------------------------------------------------------------
40	2 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	Keigo Yamazaki discovered that the miniserv.pl webserver, used in both
47	Webmin and Usermin, does not properly validate authentication
48	credentials before sending them to the PAM (Pluggable Authentication
49	Modules) authentication process. The default configuration shipped with
50	Gentoo does not enable the "full PAM conversations" option and is
51	therefore unaffected by this flaw.
52
53	Impact
54	======
55
56	A remote attacker could bypass the authentication process and run any
57	command as the root user on the target server.
58
59	Workaround
60	==========
61
62	Do not enable "full PAM conversations" in the Authentication options of
63	Webmin and Usermin.
64
65	Resolution
66	==========
67
68	All Webmin users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.230"
72
73	All Usermin users should upgrade to the latest version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=app-admin/usermin-1.160"
77
78	References
79	==========
80
81	[ 1 ] CAN-2005-3042
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3042
83	[ 2 ] Original Advisory
84
85	http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html
86
87	Availability
88	============
89
90	This GLSA and any updates to it are available for viewing at
91	the Gentoo Security Website:
92
93	http://security.gentoo.org/glsa/glsa-200509-17.xml
94
95	Concerns?
96	=========
97
98	Security is a primary focus of Gentoo Linux and ensuring the
99	confidentiality and security of our users machines is of utmost
100	importance to us. Any security concerns should be addressed to
101	security@g.o or alternatively, you may file a bug at
102	http://bugs.gentoo.org.
103
104	License
105	=======
106
107	Copyright 2005 Gentoo Foundation, Inc; referenced text
108	belongs to its owner(s).
109
110	The contents of this document are licensed under the
111	Creative Commons - Attribution / Share Alike license.
112
113	http://creativecommons.org/licenses/by-sa/2.0