A bug in Usermin, a widely-used administration console for Unix and Linux, could allow an attacker to run malicious code via a specially-crafted email, according to security researchers.
Usermin allows users of Unix and Linux to administer their own accounts on a network via a Web-based interface, including reading email. The tool isn't included in Unix or Linux distributions by default, but is often used with Webmin, one of the most popular system administration tools, which ships with Linux distributions such as Suse, Mandrake and Gentoo. A separate, less serious bug affects both Webmin and Usermin, researchers said.
A flaw in Usermin's webmail feature allows an attacker to inject malicious shell code in a specially-crafted email, according to an advisory from Gentoo. This bug could lead to the remote execution of malicious code with the privileges of the user running Webmin or Usermin. Webmin contains all the functionality of Usermin, including the vulnerable webmail feature, experts said.
"Certain parts of the emails aren't properly validated before Usermin is used in an insecure call to local resources," said Thomas Kristensen, chief technical officer of Danish security firm Secunia. "This can be exploited by sending a malicious mail to a user using Usermin." In its advisory Secunia gave the vulnerability a "highly critical" rating, its second most severe category.
The second bug could only be exploited by a local user who knew Webmin or Usermin was going to be installed. The applications write to the location /tmp/.webmin without first checking that such a location already exists; a malicious user could create a link at /tmp/.webmin pointing to important files (for example /etc/passwd), causing those files to be overwritten when the application was installed.