cPanel 11.15.0-RELEASE_17853 - easyapache race condition



DESCRIPTION


When easyapache was run, /var/cpanel/perl/easy/Cpanel/Easy/Utils.pm checked /tmp for the file "/tmp/ea3-distlist-$tree", where $tree is the cPanel branch currently in use on the server (e.g., STABLE, RELEASE, CURRENT, EDGE, etc). If the file existed, it would be unlinked. Immediately afterwards, a request would be sent to httpupdate.cpanel.net which resulted in the /tmp/ea3-distlist-$tree file being written to the fs as root.

This is what the code looked like:

 19           my $tree = Cpanel::Version::gettree();

 45           my $tmpfile = "/tmp/ea3-distlist-$tree";
 46 
 47           if ( -e $tmpfile ) {
 48               unlink $tmpfile or return; # warn/log first
 49           }
 50 
 51           my $rc = $self->fetch_from_httpupdate_silent(
 52               'host'     => $self->{'_'}{'cpsources'}{'HTTPUPDATE'},
 53               'url'      => "/cpanelsync/$tree/distlist-$tree",
 54               'destfile' => $tmpfile,
 55           );



IMPACT


A local attacker with foreknowledge of easyapache being run could continually attempt to create a symlink from /tmp/ea3-distlist-$tree to anywhere on the box, which would result in the destination file being overwritten if successful.


[user@host /tmp]$ while true ; do ln -s /etc/resolv.conf ea3-distlist-$tree ; done

27 Oct 2017 - Overwriting /root/.accesshash with user-controllable content is a local root. As the contents of the ea3-distlist-$tree file are available to anyone, this was possibly a local root, no auth required.