++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! WEBMIN MAN MODULE GIVES ROOT ACCESS ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Hi Friends, GOBBLES here! Today GOBBLES would like to take a moment to say congradulations to Mr. Meritt James (meritt_james@bah.com) for winning his CISSP certification. GOBBLES ask you to please send Mr. Meritt James a congradulatory email wishing him well with his new certification and that he did a good job passing the 250 question multiple choice test and letting them know he have three years of experience in professional security industry (probably why he avid bugtraq poster of "i was able to reproduce error", "i was not able to reproduce error", "take a look at this paper someone else wrote", "this subject was discussed indepth on this list two weeks ago, why don't you search archives before asking questions?", etc). Anyhow Mr. Meritt James like to write to mailing lists a lot and let his little signature file on the email to show the world he have he CISSP and stuff and that he brilliant academic whitehat security professional for bah.com (hehehe, bah.com company must be very happy and secure feeling with such a brilliant man on staff ;). GOBBLES search in depth through mailing list archives and was unable to discover any research disclosed by him, so GOBBLES suspect that brilliant academic scientist hacker Meritt James is probably nondisclosure advocate. Anyhow GOBBLES say please send meritt_james@bah.com letter saying, "Hi Merrit_James, I see you can post to mailing lists to let world know you have CISSP from your signature, good luck and congradulations friend!" Maybe someday Mr. Meritt James will change hat color and begin disclosing brilliant research and own ideas to list someday if we ask him kindly enough, hehehe! GOBBLES is now dedicating this advisory to Mr. Meritt James and he CISSP so that forever the memory of Mr. Meritt James and he CISSP can live on in bugtraq.org archives. Good work, friend! GOBBLES proud of you! Anyhow make sure you mail friend Mr. Meritt James saying you proud! PRODUCT ******* Webmin v. 0.91 (latest) website: http://www.webmin.com/webmin/ DESCRIPTION *********** GOBBLES done stretches and know all ready to do he routine copy/paste from webpage to let penetrator reading know of mighty problem in product. Here goes: Introduction to Webmin (p1 of 2) [intro.gif] _________________________________________________________________ What is Webmin? Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules. _________________________________________________________________ What licence is Webmin distributed under? Following the acquisition of Webmin by Caldera, all past and future versions of Webmin are available under the BSD licence. This means that on Linux and other platforms, Webmin may be freely distributed and modified for commercial and non-commercial use. Because Webmin supports the concept of modules (like PhotoShop plugins), anyone can develop and distribute their own Webmin modules for any purpose, and distribute them under any licence (such as GPL, commercial or shareware). More information about the Webmin API and writing your own modules is available. _________________________________________________________________ hehe, webmin very popular product, so it important it be fixed and things very soon... SECURITY HISTORY **************** 1. Environment variable problem May 29, 2001 http://www.caldera.com/support/security/advisories/CSSA-2001-019.1.txt 2. Insecure temp file creation http://www.cgisecurity.com/archive/admin/Webmin_0.88_local_root_comprimise.txt 3. Login brute force http://www.securityfocus.com/archive/1/9138 4. Some silly post from some .int guy http://archives.neohapsis.com/archives/bugtraq/2001-12/0176.html VERSIONS EFFECTED ***************** Tested most recent, so others are probably vulnerable, but that can be exercise for programmer Jamie Cameron (hehe, is that the Titantic guy from Hollywood a hacker too!?) to decide to find and publish affected versions. What does GOBBLES Labs look like, a charity organization? BACKGROUND ********** GOBBLES see this post on focus-linux http://archives.neohapsis.com/archives/sf/linux/2001-q4/0398.html and think, heh heh heh, if it advertised it must be popular, and that mean bugs in it lead to many system being penetrated, hehe. THE PROBLEM *********** GOBBLES notice that author of view_man.cgi didn't do input checking and commands can be executed using penetrator input. By default the server run as root, so all commands executed are as root. =) GOBBLES side note to authors: When giving users "shell module" access, the default should NOT be a root shell, silly fools. Hehe, you will learn, or at least GOBBLES hope you will learn! EXPLOIT DETAILS *************** GOBBLES say this can be exploited using any browser that support cookies. All he have to do is go to url like http://photon:10000/man/view_man.cgi?page=ipcs&sec=8&opts=&for=rm and s/ipcs/ipcs`advanced penetrator commands`/ and he penetrator has compromised secure box using GOBBLES technique! Simple enough even for commercial penetrators to perform without too much rehearsal at work. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters, gary coleman, fat albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly & associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono, micheal stipes, clark kent, bruce banner, ssh.com (hehe you know what we talking about!), hacked.cisco.com, thomas edison, steven king, P80 Systems, gnutella (the one and only real napster), colin powell, and all our friends and family.