WHMReseller 3.20 - "whmrback" account predictable password



DESCRIPTION


When WHMReseller is installed it adds a system account with the usename "whmrback" with a not so randomly generated password. The password for the whmrback account is actually generated based on the time at which the account was created.



IMPACT


A remote user could generate a list of every possible password for the whmrback account, then use brute force to gain access.

Since the password was generated based on the minute at which the account was created, there are only 1440 possible passwords per day, or roughly 40,000 - 45,000 possible passwords per month.


For example, we'll start with the time "1217563200":

[user@host ~]$ perl -e 'print scalar localtime 1217563200'
Fri Aug  1 00:00:00 2008


If WHMReseller was installed on Fri Aug 1 00:00 2008, we have all the information we need to know the password to the whmrback account. Here's how it works:

1. Obtain the digits from HH:MM (hour:minute) from that time, which would be: 0000

2. Obtain the first 6 digits from the string "1217563200", which would be: 121756

3. Using this character substitution chart:

0 => a
1 => b
2 => 6
3 => t
4 => n
5 => 0
6 => d
7 => y
8 => r
9 => h

and this number: 0000121756 ( "0000" + "121756" )

we can put the password together: aaaab6by0d

The first character of the password will always be 'a', 'b', or '6', because the time on your computer will only ever start with a '0', '1', or '2' (07:39, 13:56, 22:23, etc).


A single threaded perl script can generate upwards of 450 login attempts per minute from a remote machine. At 400 login attempts per minute:

Password possibilities       Time to crack
1440   (1 day)               3.6 minutes
44640  (1 month, 31 days)    less than 2 hours
525600 (1 year)              less than 22 hours


Using the chart above, brute forcing your way into a box that you know what day WHMReseller was installed will take just minutes. If you know what month it was installed, you've got access within 2 hours.

This bug is rated as "critical" because anyone with local access could take advantage of the numerous other issues to gain root access.