Webmin Symlink Vulnerability
BID:2399
Info
Webmin Symlink Vulnerability
| Bugtraq ID: | 2399 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 17 2001 12:00AM |
| Updated: | Jan 17 2001 12:00AM |
| Credit: | Reported to bugtraq in a Caldera Security Advisory dated January 17, 2001. |
| Vulnerable: |
Webmin Webmin 0.8.5 Red Hat Webmin Webmin 0.8.3 |
| Not Vulnerable: |
Webmin Webmin 0.8.4 |
Discussion
Webmin Symlink Vulnerability
Webmin is a web-based administration interface for Unix systems. Versions of Webmin make use of insecurely-created tempfiles.
Webmin's tempfiles are named in a way that is guessable in advance by a malicious user. This allows an attacker to create a symbolic link with the same name as Webmin's tempfile, and which points to another file which is the target of attack.
When Webmin attempts to write to the predictably-named temporary file, the already-created symbolic link will lead the program to overwrite the symlink's target with the privilege of the webserver process.
Properly exploited, this type of attack may lead to local root access for the attacker.
It has been reported that a number of vulnerable Webmin RPMs are still in circulation and many Linux distributions do not appear to have sufficiently patched this issue. For example, insecure temporary file creation is still known to be prevalent in some post-Webmin 0.8.3 RPMs.
Users are advised to upgrade to the most recent version to avoid any aforementioned problems with the creation of insecure temporary files.
Webmin is a web-based administration interface for Unix systems. Versions of Webmin make use of insecurely-created tempfiles.
Webmin's tempfiles are named in a way that is guessable in advance by a malicious user. This allows an attacker to create a symbolic link with the same name as Webmin's tempfile, and which points to another file which is the target of attack.
When Webmin attempts to write to the predictably-named temporary file, the already-created symbolic link will lead the program to overwrite the symlink's target with the privilege of the webserver process.
Properly exploited, this type of attack may lead to local root access for the attacker.
It has been reported that a number of vulnerable Webmin RPMs are still in circulation and many Linux distributions do not appear to have sufficiently patched this issue. For example, insecure temporary file creation is still known to be prevalent in some post-Webmin 0.8.3 RPMs.
Users are advised to upgrade to the most recent version to avoid any aforementioned problems with the creation of insecure temporary files.