Bugtraq mailing list archives
Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)
From: "Noam Rathaus" <noamr () beyondsecurity com>
Date: Sat, 31 Aug 2002 01:39:44 +0300
Hi, But you are neglecting to note that if you DO LIMIT that user, he is still not LIMITED in any way. Meaning that if you provide your user with "admin" of the Apache ONLY (only access to the Apache module), but you have still RPC enabled, he is pretty much free to do whatever he wants, even though you have limited him. This is our main point of disagreement with the vendor, RPC shouldn't give you anymore access than that you have provided him via the ACL (the RPC module does not even try to verify what kind of access the 'admin', or in lower versions, any other user, has). Thanks Noam Rathaus CTO Beyond Security Ltd http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Muhammad Faisal Rauf Danka" <mfrd () attitudex com> To: "SecurITeam BugTraq Monitoring" <bugtraq () securiteam com>; <mfrd () attitudex com>; <bugtraq () securityfocus com> Sent: Friday, August 30, 2002 11:50 PM Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)
Yes but wouldn't that be wrong in itself, to give root or admin user access to
someone for the purpose of providing "limited access", when it is confirmed that admin or root login account for webmin has full access over all modules.
<quote> Vendor response: The vendor has responded with the following statement: That's not really a bug, because in standard webmin installs the 'admin' or
'root' use has access to all modules with all privileges, which is equivalent to having a root login.
</quote> Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- "SecurITeam BugTraq Monitoring" <bugtraq () securiteam com> wrote:Hi, This kind of settings means that a user by the name of 'admin' or 'root' is
just
a normal root with a shell since the RPC interface would allow him to do anything. This means that anyone giving "limited" access to their machines, appliance, etc, with a user named 'admin' or 'root' is actually giving them complete access to the machine (all they need to do is modify /etc/shadow,
and
/etc/passwd, to add their own user, and then simply logon, of course other methods such as binding inetd to a /bin/bash is also possible, but would
require
a bit more "work). Thanks Noam Rathaus CTO Beyond Security Ltd http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Muhammad Faisal Rauf Danka" <mfrd () attitudex com> To: <bugtraq () securityfocus com> Sent: Friday, August 30, 2002 6:09 PM Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)The problem has been fixed several versions before. Current version is 0.990 However I am using version 0.980 of webmin. And the default installation value for rpc in defaultacl file is 2. [root@linux /]# grep "rpc" /home/admin/webmin-0.980/defaultacl rpc=2 [root@linux /]#_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with
email () yourgroup org by Everyone.net http://www.everyone.net/?btn=tag
Current thread:
- Webmin Vulnerability Leads to Remote Compromise (RPC CGI) Aviram Jenik (Aug 28)
- <Possible follow-ups>
- Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI) Muhammad Faisal Rauf Danka (Aug 30)
- Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI) Noam Rathaus (Aug 31)