cPanel 11.23.1-EDGE_24268 - local users could overwrite any file on the box via symlink attack on /tmp/cpbandwidth/-bytes_log



DESCRIPTION


When a user uploads a file via cPanel's File Manager, the following files are written:

/home/username/tmp/cpbandwidth/example.com-bytes_log
/home/username/tmp/cpbandwidth/example.com-bytes_log.lock


It was noticed on some machines that the files existed here:

/tmp/cpbandwidth/-bytes_log
/tmp/cpbandwidth/-bytes_log.lock

which indicates that $HOME/$username and $domain were not being properly populated. In some cases, root owned the /tmp/cpbandwidth files, and in others, a local user who had used the cPanel File Manager owned the files. The user who owned the /tmp/cpbandwidth directory could remove the directory, then symlink the -bytes_log file to any file on the machine, then upload a file via the File Manager. This would cause the symlinked file to be overwritten.



IMPACT


A local user who owned the /tmp/cpbandwidth/ directory could destroy files on the local machine.

27 Oct 2017 - Overwriting /root/.accesshash with user-controllable content is a local root. If the -bytes_log file simply contained the amount of bytes from a File Manager upload (as I believe was the case), this was probably a local root.