WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


cPanel 10.9.0-STABLE_119 - random world readable files in /etc/vftp, some user password hashes viewable


DESCRIPTION

Some files in /etc/vftp/ ( which is a symlink to /etc/proftp/ ) were found to be world readable. These files contain the local users' system password hashes, as well as hashes to the users' FTP accounts, if any. Local system accounts added manually, such as staff accounts created via useradd, also had their account password information stored in this directory.

The vendor determined that this was occurring accidentally as part of the account suspension routine. When an account is suspended, the files in /etc/vftp are updated, and some files were having their permissions changed to 0644 (the default is 0640).


[user@host ~]$ ls -al /etc/vftp/
drwxr-xr-x  2 root root  4096 Oct  1 21:53 ./
drwxr-xr-x 75 root root 12288 Oct  2 11:00 ../
-rw-r-----  1 root root   175 Sep 24 11:48 alice
-rw-r-----  1 root root   275 Jun 22 13:45 bob
-rw-r--r--  1 root root   175 Sep 28 10:41 carol
-rw-rw----  1 root root   868 Sep 30 16:47 passwd.vhosts
-rw-------  1 root root  1081 Sep 30 16:47 passwd.vhosts.cache
[user@host ~]$ cat /etc/vftp/carol
carol:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e31:911:908::/home/carol:/bin/bash
carol_logs:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/31:911:908:carol:/usr/local/apache/domlogs/carol:/bin/ftpsh


IMPACT

Local users could obtain the password hashes of various other users' accounts.


WebhostSecurity.com © 2009 - 2020