Menu
▾
▴
Re: Webmin Doesn't Clean Env (root exploit) (fwd)
|
From: Ryan W. M. <ry...@gu...> - 2001-05-29 20:22:07
|
Joe,
This is how I fixed it. Here is a snippit from web-lib.pl. I have a
example usage in the comments:
----- SNIP -----
###
### Example Usage of clean_env() and restore_env()
###
### ### Clean and save the environment.
### my %ENV_RESTORE;
### %ENV_RESTORE = &clean_env();
###
### ### Restart the daemon.
### $out1 = `/etc/init.d/httpd restart 2>&1`;
###
### ### Restore the environment.
### &restore_env(%ENV_RESTORE);
###
################################################################################
# Name: clean_env()
# Purpose: Clear out all environmental varibles and store copy in hash
passed.
################################################################################
sub clean_env()
{
my (%ENV_RESTORE);
foreach my $k (keys %ENV) { $ENV_RESTORE{$k} = $ENV{$k}; delete($ENV{$k}); }
return %ENV_RESTORE;
}
################################################################################
# Name: restore_env()
# Purpose: Restore the environemnt which was cleared with clean_env from
# hash passed.
################################################################################
sub restore_env()
{
my (%ENV_RESTORE) = @_;
foreach my $k (keys %ENV_RESTORE) { $ENV{$k} = $ENV_RESTORE{$k}; }
}
----- SNIP -----
I've been playing with this all day and it doesn't look like anything
really needs the extra variables. Even when restarting something like
sshd through Webmin (or, in my case, the WebTool ;)) leaves the sid in
/proc/<pid>/environ. We're running the Openwall patch with restricted
/proc, but on systems that do not have it just about anybody can pull that
info out.
Comment on this code is welcome. I'm issuing an advisory sometime
today...
-r
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
Ryan W. Maple Guardian Digital, Inc.
"Expanding exponentially, like some recursive virus." -Phish
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
On Mon, 28 May 2001, Joe Cooper wrote:
> Just a thought...Any reason why Webmin can't create a new environment
> for every external process it spawns (like daemons, and such--anything
> out of it's control)? Seems like some of the stuff that's in there
> shouldn't be (obviously this information fits the bill).
>
> It already has this feature for Custom Commands (if I understand things
> correctly). I recently looked into doing this for a wget
> module...because some things are harder to set on the command line than
> in the environment, doesn't seem that difficult. But then I'm no perl monk.
>
> Ryan W. Maple wrote:
>
> >>Not really - it doensn't happen in session authentication mode, which
> >>is the default in webmin 0.85. However, if you are still using the old
> >>traditional HTTP authentication then it will be a problem ..
> >>
> >
> > Actually, it _does_ happen in session auth (which is what the WebTool
> > uses). The "HTTP_COOKIE" env. var has "sid=xxxxxxxxx" in it. This is a
> > step in the right direction of the hijacking of a connection.
> >
> >
> >>Version 0.86 will be out really soon which will fix this properly
> >>in both modes.
> >>
> >
> > Thanks. I'll keep my eyes open and we can compare ways to fix it. I'm
> > probably going to have to issue an advisory to close this issue, so if you
> > want I'll send you a patch so you can see how I end up doing it...
> >
> >
> >>>Jamie, is this fixed in the latest version? I re-wrote the part of the
> >>>code that restarts apache but I am not cleaning the environment either,
> >>>making the WebTool succeptable to this bug too.
> >>>
>
> --
> Joe Cooper <jo...@sw...>
> Affordable Web Caching Proxy Appliances
> http://www.swelltech.com
>
>
> -
> Forwarded by the Webmin development list at web...@we...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-devel
>
|
