cPanel (All versions prior to and around 04/07/2008) - local users can hijack the cPanel, WHM, webmail, and webdav ports



DESCRIPTION


cPanel uses unprivileged ports for its services: 2077 and 2078 for cpdavd, 2082 and 2083 for cPanel, 2086 and 2087 for WHM, and 2095 and 2096 for webmail. Whenever cPanel was restarted, those ports would be freed, at which point any application could bind to them. A local user could run a fake cpsrvd-ssl process that would bind to port 2087, and redirect the user to port 2086, complete with authentic looking login page, then log the username and password of the user attempting to log in.

If I remember correctly, when cPanel was restarted, it had (perhaps still has) a specific order in which it started. For example, 2082 and 2083 would start listening, then 2095 and 2096, and finally 2086 and 2087. If you binded to the cPanel ports first (2082 or 2083), then neither webmail nor WHM would start, since it could not bind to the cPanel ports. Thus, by binding to 2087 last, you were binding to the last possible port, which meant that all other services (cPanel, webmail, and regular http for WHM) were started.



IMPACT


Local users could obtain account usernames and passwords of those attempting to log into WHM (and possibly other services requiring authentication via cpsrvd, such as cPanel, webmail, and webdav). This includes the root user.