Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)

["Noam Rathaus" <noamr () beyondsecurity com>]

Hi,

But you are neglecting to note that if you DO LIMIT that user, he is still not
LIMITED in any way. Meaning that if you provide your user with "admin" of the
Apache ONLY (only access to the Apache module), but you have still RPC enabled,
he is pretty much free to do whatever he wants, even though you have limited
him.

This is our main point of disagreement with the vendor, RPC shouldn't give you
anymore access than that you have provided him via the ACL (the RPC module does
not even try to verify what kind of access the 'admin', or in lower versions,
any other user, has).

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Muhammad Faisal Rauf Danka" <mfrd () attitudex com>
To: "SecurITeam BugTraq Monitoring" <bugtraq () securiteam com>;
<mfrd () attitudex com>; <bugtraq () securityfocus com>
Sent: Friday, August 30, 2002 11:50 PM
Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)


> Yes but wouldn't that be wrong in itself, to give root or admin user access to
someone for the purpose of providing "limited access", when it is confirmed that
admin or root login account for webmin has full access over all modules.
> <quote>
> Vendor response:
> The vendor has responded with the following statement:
> That's not really a bug, because in standard webmin installs the 'admin' or
'root' use has access to all modules with all privileges, which is equivalent to
having a root login.
> </quote>
>
> Regards
> --------
> Muhammad Faisal Rauf Danka
>
> Head of GemSEC / Chief Technology Officer
> Gem Internet Services (Pvt) Ltd.
> web: www.gem.net.pk
> Key Id: 0x784B0202
> Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7  6A20 C592 484B
> 784B 0202
>
>
> --- "SecurITeam BugTraq Monitoring" <bugtraq () securiteam com> wrote:
> > Hi,
> >
> > This kind of settings means that a user by the name of 'admin' or 'root' is
just
> > a normal root with a shell since the RPC interface would allow him to do
> > anything. This means that anyone giving "limited" access to their machines,
> > appliance, etc, with a user named 'admin' or 'root' is actually giving them
> > complete access to the machine (all they need to do is modify /etc/shadow,
and
> > /etc/passwd, to add their own user, and then simply logon, of course other
> > methods such as binding inetd to a /bin/bash is also possible, but would
require
> > a bit more "work).
> >
> > Thanks
> > Noam Rathaus
> > CTO
> > Beyond Security Ltd
> > http://www.SecurITeam.com
> > http://www.BeyondSecurity.com
> > ----- Original Message -----
> > From: "Muhammad Faisal Rauf Danka" <mfrd () attitudex com>
> > To: <bugtraq () securityfocus com>
> > Sent: Friday, August 30, 2002 6:09 PM
> > Subject: Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)
> >
> >
> > > The problem has been fixed several versions before.
> > > Current version is 0.990
> > > However I am using version 0.980 of webmin.
> > > And the default installation value for rpc in defaultacl file is 2.
> > >
> > > [root@linux /]# grep "rpc" /home/admin/webmin-0.980/defaultacl
> > > rpc=2
> > > [root@linux /]#
>
> _____________________________________________________________
> ---------------------------
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---------------------------
>
> _____________________________________________________________
> Promote your group and strengthen ties to your members with
email () yourgroup org by Everyone.net  http://www.everyone.net/?btn=tag
>