cPanel 11.23.4-CURRENT_26138 - insecure default PEAR implementation



DESCRIPTION


/usr/etc/pear.conf by default is configured to use certain directories in /tmp for placing various files related to PEAR:

/tmp/pear/cache
/tmp/pear/temp
/tmp/pear/download


During a upcp, the following file "/usr/local/cpanel/install/pear-XMLRPC" would be run - as root - which issues the following commands:

pear upgrade PEAR
pear upgrade XML_RPC


Here's an example of what /tmp/pear/cache/ looked like after the pear-XMLRPC script was run:

[root@host ~]# ls -al /tmp/pear/cache/
total 36
drwxr-xr-x  2 root root  1024 Aug  6 10:32 ./
drwxr-xr-x  3 root root  1024 Aug  6 10:32 ../
-rw-r--r--  1 root root   912 Aug  6 10:32 2b26b748f47ba455633c74d5d108e9c7rest.cachefile
-rw-r--r--  1 root root   151 Aug  6 10:32 2b26b748f47ba455633c74d5d108e9c7rest.cacheid
-rw-r--r--  1 root root   897 Aug  6 10:32 2d8cae9ce1d11552bcb57b4f65466a8drest.cachefile
-rw-r--r--  1 root root   151 Aug  6 10:32 2d8cae9ce1d11552bcb57b4f65466a8drest.cacheid
-rw-r--r--  1 root root  3601 Aug  6 10:32 3f5c8bd73acf76150517191516fa2abarest.cachefile
-rw-r--r--  1 root root   151 Aug  6 10:32 3f5c8bd73acf76150517191516fa2abarest.cacheid
-rw-r--r--  1 root root 14727 Aug  6 10:32 6d1f6e892384ae452db9a1bd59ee95f5rest.cachefile
-rw-r--r--  1 root root   152 Aug  6 10:32 6d1f6e892384ae452db9a1bd59ee95f5rest.cacheid
-rw-r--r--  1 root root   554 Aug  6 10:32 74e784d4353d69d2bc670aba2570f952rest.cachefile
-rw-r--r--  1 root root   151 Aug  6 10:32 74e784d4353d69d2bc670aba2570f952rest.cacheid
-rw-r--r--  1 root root  4271 Aug  6 10:32 cebfc2db563cacd14abbf18f437cc384rest.cachefile
-rw-r--r--  1 root root   151 Aug  6 10:32 cebfc2db563cacd14abbf18f437cc384rest.cacheid

Note the user and group ownerships of root.


The file names look a lot like md5 hashes, because they are. Here's how the filenames are generated, taken from /usr/lib/php/PEAR/REST.php:

    200         $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    201             md5($url) . 'rest.cacheid';

    202         $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    203             md5($url) . 'rest.cachefile'; 


This is how it works:

A. $this->config->get('cache_dir') = /tmp/pear/cache

B. DIRECTORY_SEPARATOR = /

C. md5($url) = md5 hash:
[user@host ~]$ echo -n http://pear.php.net/rest/p/packages.xml | md5sum
6d1f6e892384ae452db9a1bd59ee95f5
D. rest.cacheid = rest.cacheid (or rest.cachefile = rest.cachefile) 


A + B + C + D = /tmp/pear/cache/6d1f6e892384ae452db9a1bd59ee95f5.cache(id|file)



IMPACT


If the directory structure /tmp/pear/cache has not already been created by root, (either because it did not exist previously, or because it was removed by root, or by tmpwatch, etc), a local user could create that directory structure and then symlink the predictable filenames to any files on the box, causing the destination files to be completely overwritten, or to be created if they did not already exist.

At the time this issue was mentioned, there were 40+ files being written to /tmp/pear/cache. This meant that if a local user could create (and thus control) the /tmp/pear/cache directory, they could destroy 40+ files of their choice during the next upcp since PEAR makes no attempt at properly handling the files being written to the disk.

This has since been addressed by cPanel by using /root/.pearrc, which uses /root/tmp/ for writing the PEAR files.

27 Oct 2017 - Overwriting /root/.accesshash with user-controllable content is a local root. As the contents of the /tmp/pear/cache/ files were available to anyone, this was possibly a local root.