cPanel (UNKNOWN VERSION - believed to possibly be all versions prior to 11.x) - destroy any file on the box via certain ~/.cpanel-datastore/ files



DESCRIPTION


When a cPanel user logged into their account, certain files were created or updated in their ~/.cpanel-datastore directory (under cPanel 11 this was changed to ~/.cpanel/datastore/). In previous versions of cPanel, the MySQL and dig files were created and written as root. The exact names of files have been forgotten, but are believed to possibly be "_usr_bin_mysqladmin_ping" and "dig_\@x.x.x.x_example.com", where "x.x.x.x" is an IP address of a root nameserver, and "example.com" is one of the cPanel user's domains. Under cPanel 11, the MySQL and dig files are written to /root/.cpanel/datastore/.

If a local user first removed the MySQL and dig files from their ~/.cpanel-datastore/ directory, then symlinked them to any file on the box, then proceeded to log into cPanel, the files being symlinked to would be overwritten.

This issue was more or less unreported (I did mention it in the unofficial cPanel IRC chat), as cPanel 11.x had already been released which did not suffer from this problem. I'm guessing someone else caught it and reported it first.


[user@host ~]$ ls -al .cpanel-datastore/
-rw------- 1 user user  1410 Sep 30 16:25 _sbin_ifconfig_-a
-rw------- 1 root root  1626 Sep  1 16:30 _usr_bin_dig_\@192.33.4.12_example.com
-rw------- 1 root root    16 Oct  2 09:55 _usr_bin_mysqladmin_ping
[user@host ~]$ rm -rf .cpanel-datastore/*
[user@host ~]$ ln -s /etc/foo .cpanel-datastore/_usr_bin_dig_@192.33.4.12_example.com


Once the user logs back into cPanel, the ~/.cpanel-datastore/ mysql and dig files mentioned above would be recreated, allowing the user to create new files on the fs, or destroy existing ones.



IMPACT


Local users could destroy any file(s) on the machine.

27 Oct 2017 - Overwriting /root/.accesshash with user-controllable content is a local root. This was almost assuredly a local root, as the contents of _usr_bin_mysqladmin_ping would've been trivially predictable.