Giving Root to the Web [LWN.net]

[This article was contributed by Tom Owen]

These days, pretty much any box with an Ethernet port has a web administration interface running alongside the command line and that iffy SNMP agent. Even if you can ignore horrors like the admin password going through an HTML form and no support for HTTPS, it's unlikely that the web server running in, say, a cheap switch will have been better tested or reviewed than miniserv.pl, the perl HTTP server which runs at the core of Webmin.

Webmin is a popular administration package which provides form-based access to configuration files for many standard and optional components. Administrators use a browser and the Webmin forms to manage users DNS zone changes, driver modules and many other tasks. All the applications are perl modules, running via CGI under the miniserv.pl web server.

The recent vulnerability report from the LAC security lab suggests that miniserv.pl can be fooled by control characters in a web authentication string. It apparently needs the "Enable Password Timeout" option to be set in Webmin, but that's an option that many cautious admins will choose anyway. The inevitable exploit makes it concrete and easy. It's nicely set up to get a script kiddy going: a few lines of perl run netcat to fake a single HTTP GET. It's all simple and transparent except for an artfully crafted base64 string on the Authorization: header. The control codes there create a specific session for the default user "admin". A cookie containing the session ID on a local browser is then all the attacker needs to use all the Webmin modules. It's complete server root access with full havoc potential in a very few steps.

A search for "webmin" on Bugtraq shows a trickle of problems, mostly in the last couple of years, ranging from local privilege escalation to full remote admin access. Cross site scripting and other old favorites show up with oddities like leftover environment variables. In fact the the system seems more secure than many, but the consequences of failure are much worse than for ordinary web applications: instead of one function or application being compromised, it's the whole server. This situation raises a question: Can it ever be responsible to put a root function on to a web protocol?

This isn't particularly a Webmin issue. The miniserve.pl fault was promptly fixed in 1.070 but all of those cheap printers, switches and wireless access points are still booting the firmware they shipped with. We can be sure that this is a case where absence of reports doesn't mean the holes aren't there. Despite the potential for trouble, no reduction in web-based administration, even over the public internet, is going to happen soon. It probably won't even begin to happen until someone gets sued for negligence -- it's just too useful, and for remotely-hosted servers it's pretty much essential.

Just looking at Webmin, the value stands out:

So many people hate text mode configuration
Even those who love it acknowledge that systems like Bind are ticklish to get right by hand: A display like this is not lovely, but it can save you from forgetting the reverse addresses.
Checklist purchasers need it: it's a good, demonstrable counterargument to "Linux is impossible to administer" charges.

So, lots of admins will be keeping Webmin, SWAT and those network boxes. They've got a lot of the same work to do:

Turn off unused web administrator systems (and SNMP too.) Scan to make sure they stay off.
When it's configurable, standardise on a web administration port to block unconditionally at the firewall. Caldera, for example, uses port 1000.
Printers and switches don't need Internet access. At the firewall, block the IP range they're in.
In simple LANs they don't even need a default gateway. 0.0.0.0 is fine.
Webmin and others offer IP-based access control. Turn it on and only include administrators' machines.
In the longer term, get that VPN on-line.

It's a shame. That fantasy about doing your work from the Internet cafe just ended. Web administration is democratic, convenient and inclusive, a huge boon to admins, and it'll be hard to give it up. But the way it looks now, it's hard to believe it can ever be really safe.

(Log in to post comments)

Giving Root to the Web

Posted Feb 27, 2003 9:01 UTC (Thu) by beejaybee (guest, #1581) [Link]

Heigh ho. It's enough of a struggle persuading people to run Windows Update; the chances of getting anyone to upgrade firmware in network switches, print hubs etc. are just about non-existent.

These things really need to be firewalled so that (at least) the admin ports are invisible from any place you don't _really_ trust. Of course the problem is that your firewall is likely to have an insecure web-based admin port as well :-( At least with an open-source firewall you can definitively disable the damn thing.

If that's inconvenient, then tough. Is it convenient to have your whole network compromised?

What about the command line?

Posted Feb 27, 2003 15:57 UTC (Thu) by bkw1a (subscriber, #4101) [Link]

About web-based admin interfaces, the article says "for remotely-hosted
servers it's pretty much essential". Around here, I manage about a
hundred Linux boxes remotely, without any web interface. For tweaking
individual machines, I use ssh. This lets me do anything I want to
do on the remote system, and unlike a web interface it doesn't require
that the interface change whenever a config file format changes.

For making changes to many machines at once, I have a nightly automatic
update system based on perl scripts, rsync and anon. ftp. I'd hate to
have to update all my machines individually, using web interfaces.

It seems to me that web-base admin interfaces for Linux fill a very
narrow niche: they suit people who administer only a few remote
machines, don't have time to really learn about Linux, and never
need to make big changes. Maybe this group is growing, though,
as more folks from the Windows world start administering, e.g.,
apache on Linux.

What about the command line?

Posted Feb 28, 2003 10:03 UTC (Fri) by beejaybee (guest, #1581) [Link]

"For making changes to many machines at once, I have a nightly automatic
update system based on perl scripts, rsync and anon. ftp."

Oh brother. Given you have ssh anyway, why not use scp instead of anon ftp?

"It seems to me that web-base admin interfaces for Linux fill a very
narrow niche: they suit people who administer only a few remote
machines, don't have time to really learn about Linux, and never
need to make big changes. Maybe this group is growing, though,
as more folks from the Windows world start administering, e.g.,
apache on Linux."

Also the large group of people who administer things like network switches, network-connected printers etc. without thinking of themselves as system administrators (or being paid as such!) and without even realising that the device(s) they're administering has an underlying operating system.

Giving Root to the Web

Posted Mar 8, 2003 13:28 UTC (Sat) by Adriaan (guest, #10014) [Link]

Why not use

ssh -X -L 10001:remote.server:10000 remote.server

and mozilla localhost:10001 from the admin's machine

You could only allow loopback connections to Webmin on the server that way; you wouldn't even have to use https.

It would still be a problem doing this from an Internet café though, as most (Windows) machines in Internet cafés don't have an X server running :-/

Giving Root to the Web

Posted Mar 11, 2003 23:01 UTC (Tue) by mogul (subscriber, #3163) [Link]

Ladies and gentlemen, I give you WeirdMind:
http://spiro.fisica.unipd.it/servizi/weirdx/weirdmind/weirdmind/
"WeirdMind allows you to embed an entire X server and SSH1 client in your java-enabled web browser. If an X program is opened, the X server will be automatically started, and the window will pop up on top of your web browser."

That's right... A full ssh client and X server in a browser applet. I've used it to do both routine and emergency admin work from internet cafes while on vacation in Canada, Europe, Japan, etc.

Rejoice, and Hallelujah my brethren!