Virtualmin < 3.703 - Multiple Local/Remote Vulnerabilities








Virtualmin Multiple Vulnerabilities

by Filip Palian <filip (dot) palian (at) pjwstk (dot) edu (dot) pl

Software affected:
Virtualmin < 3.703

Description (from the vendor site):
"Virtualmin is the world's most powerful and flexible web server control
Manage your virtual domains, mailboxes, databases, applications, and the
entire server, from one comprehensive interface".

Virtualmin is prone to multiple vulnerabilities.

#1 Unprivileged port use
The Virtualmin listens by default on port 10000. Regular users are able
to run
their own daemon on that port and prevent Virtualmin to run.

#2 XSS
The Virtualmin doesn't validate input data correctly in some scripts. As a
result attackers are able to conduct XSS and CSRF attacks. Note that
"referers_none" configuration option must be set to "0", when it's set
to "1"
by default.


#3 Anonymous proxy
The attacker is able to use "Preview Website" featrue to hide hers real
location and conduct attacks on different servers in the Internet.


#4 Information disclousure
It's possible to view and/or copy any file on the server due to system()
in mysql module, which copies any file specified by the user
to Virtualmin temporary dir. Note it's a time based attack as the copied
is almost immediately removed after creation.

#5 Information disclousure
It's possible to view any file on the server because Virtualmin doesn't drop
root privileges to perform some of its actions.

Use the "Execute SQL" feature in the mysql module by passing
"/etc/master.passwd" parameter as the file path to the .sql file:

-- cut --
Output from SQL commands in file /etc/master.passwd ..
ERROR 1064 (42000) at line 3: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'root:$1$HASH_HERE.:0:0::0:0:Charlie
&:/root:/usr/local/bin/' at line 1
-- cut --

#6 Symlink attacks
There are Virtualmin modules which allows the attacker to conduct a
successful symlink attack, which may lead to a full compromise of the

Example for "Backup Virtual Servers":
1) Regular user creates backupdir and symlink:
  $ mkdir virtualmin-backup && ln -s /etc/master.passwd
  $ ls -la /etc/master.passwd
  -rw-------  1 root  wheel  1024 Jan 19 23:08 /etc/master.passwd

2) From the panel regular user creates backup:
  "Backup and Restore" -> "Backup Virtual Servers" and "Destination and

set options to:

  Backup destination [x] File or directory under virtualmin-backup/ - "test"
  Backup format     [x] Single archive file

and create backup by submitting "Backup Now".

3) Regular user now owns the symlinked file:
  $ ls -la /etc/master.passwd
  -rw-------  1 user  user  1024 Jan 21 00:51 /etc/master.passwd

The vendor has provided updates and solutions to all vulnerabilities
described above. Upgrading immediately is strongly recommended for all
Virtualmin users.

Disclosure timeline:
21 VI 2009: Detailed information with examples and PoCs sent to the vendor.
24 VI 2009: Initial vendor response.
25 VI 2009: Few more vulnerabilities with examples and PoCs sent to the
26 VI 2009: Hot fix for the mysql module released by the vendor.
05 VII 2009: New version of the Virtualmin with fixes released by the
14 VII 2009: Security bulletin released.


Best regards,
Filip Palian

# [2009-07-14]