The University of Texas information security office yesterday disclosed the details on a critical vulnerability in Webmin that was patched in May, days after it was reported.
The bug in the UNIX remote management tool provided remote root access to a host server. Authenticated users would then be able to delete files stored on the server.
Researcher John Gordon published a report yesterday on the UT ISO website explaining that the problem was discovered in the cron module’s new environment variable.
Gordon wrote that an attacker would have been able to use directory traversal and null byte injection techniques to force Webmin to delete any file stored on the system. Directory traversal attacks are particularly dangerous because an attacker can remotely execute commands outside a root directory into sub-directories that should not be reachable online.
“The obvious impact that comes to mind is denial of service or data loss, deleting files critical to the operation of the server such as /etc/passwd,” Gordon said.
The vulnerability was reported on May 14 to Webmin, which released a patch on the same day to its Github page. On May 20, Webmin 1.690 was released and included the patch.
The vulnerability, Gordon said, likely cannot be flipped into an attack granting someone remote shell access or code execution on a standard Linux server, for example,
“In site-specific scenarios it may be possible to use this vulnerability to further compromise the server. For example, if a server uses Apache’s .htaccess files to control access to certain areas of a site, an attacker can now delete those .htaccess files and access those areas freely,” he said. “Another example is deleting stored iptables firewall rules so that the next time it was restarted the firewall rules would no longer be in effect.”
For an exploit of this vulnerability to work, Gordon said an attacker would need valid credentials at any permission level so long as the cron module is accessible.
“Webmin does referrer checks and denies most direct requests to pages unless they originated from another page on the same site, so we can’t just turn the attack into a simple link (GET request) that attackers or victims can click,” Gordon said. “It works as a POST request by keeping the referrer field intact and just changing the user field, but that requires a web proxy tool which adds slightly to the difficulty.”
The ability to delete files, Gordon said, is a side effect of how Webmin keeps track of which files are in use. Adding an environment variable for a user, the username is used as part of a file name and adds a /path/to/filename.lock extension to indicate when it’s in use, he said.
“Due to a lack of sanitization in the request, we’re able to modify our username to include ../../ characters to control which directory the file is in, and a null byte (%00) at the end to terminate the string,” Gordon said. “Webmin creates the .lock file, keeps track of it, and deletes the .lock file when it’s done. Our null byte keeps the ‘.lock’ part from being added, meaning Webmin is keeping track of the real filename, so when it’s time to clean up the .lock files, it deletes the legitimate file (e.g. ../../../../../etc/passwd).”
Gordon was clear that an attacker could not take advantage of the vulnerability to drop malware into a directory, for example.
“The vulnerability only allows you to delete files,” Gordon said. “There may be certain files in a Linux file system you could delete that would then give you an advantage in further compromising it like a file owned by root inside a directory that you have write access to, so that you could replace the file as a lesser user and control the file’s contents. I haven’t been able to find an example of this yet, though.”