cPanel – Password Change Hardlink Arbitrary File Write (R911-0184)

July 23rd, 2015

Type: Arbitrary File Write (Symlink)
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.50.0.27, 11.48.4.6 & 11.46.3.8
CVE: -
R911: 0184
Date: 2015-07-23
By: RACK911 Labs

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to perform a symlink attack against any file on the server and inject (some) data into the compromised file. This is allowed to happen during the Password Change function that performs various root file operations within the user home directory.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that while we can compromise any file on the server, the data that we can write is limited which ruins the effectiveness of this exploit. However, under certain circumstances it *MAY* be possible to obtain root access.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel versions 11.50.0.27, 11.48.4.6 & 11.46.3.8.

Vendor Contact Timeline:

2015-05-19: Vendor contacted via email.
2015-05-19: Vendor confirms vulnerability.
2015-07-20: Vendor issues updates to all builds.
2015-07-23: RACK911 Labs issues security advisory.

cPanel – Force Password Change Symlink Privilege Escalation (R911-0183)

July 23rd, 2015

Type: Privilege Escalation (Symlink)
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.50.0.27, 11.48.4.6 & 11.46.3.8
CVE: -
R911: 0183
Date: 2015-07-23
By: RACK911 Labs

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to perform a symlink attack against key files on the server to escalate their privileges to root access. This is allowed to happen during the Force Password Change function that performs various root file operations within the user home directory.

Note:

The cPanel advisory (intentionally) understates the severity of this vulnerability! Interactive root access can be obtained in a matter of seconds.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel versions 11.50.0.27, 11.48.4.6 & 11.46.3.8.

Vendor Contact Timeline:

2015-05-14: Vendor contacted via email.
2015-05-15: Vendor confirms vulnerability.
2015-07-20: Vendor issues updates to all builds.
2015-07-23: RACK911 Labs issues security advisory.

cPanel – Backup Symlink Privilege Escalation (R911-0182)

July 23rd, 2015

Type: Privilege Escalation (Symlink)
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.50.0.27, 11.48.4.6 & 11.46.3.8
CVE: -
R911: 0182
Date: 2015-07-23
By: RACK911 Labs

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to perform a symlink attack against key files on the server to escalate their privileges to root access. This is allowed to happen during the Generate Full Backup function that performs various root file operations within the user home directory.

Note:

The cPanel advisory (intentionally) understates the severity of this vulnerability! Interactive root access can be obtained in a matter of seconds.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact root access can be obtained.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel versions 11.50.0.27, 11.48.4.6 & 11.46.3.8.

Vendor Contact Timeline:

2015-05-14: Vendor contacted via email.
2015-05-14: Vendor confirms vulnerability.
2015-07-20: Vendor issues updates to all builds.
2015-07-23: RACK911 Labs issues security advisory.

CloudLinux – CageFS Tmpwatch Arbitrary File Deletion (R911-0181)

July 5th, 2015

Type: Arbitrary File Deletion
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: CageFS 5.3-6
Fixed Version: CageFS 5.4-1
CVE:
R911: 0181
Date: 2015-07-05
By: RACK911 Labs

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

The tmpwatch function of CloudLinux is supposed to clear out temporary files within user directories stored under CageFS. Due to the process being called through the system shell, the process ends up running as root instead of the user which can lead to arbitrary files being deleted elsewhere on the server.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that system files and other user files can be deleted.

Vulnerable Version:

This vulnerability was tested against CloudLinux CageFS 5.3-6 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux CageFS 5.4-1.

Special Note:

We would like to take a moment to thank the developers of CloudLinux for their always prompt updates in patching our security vulnerabilities. While we understand that no developer would like to have security vulnerabilities present, CloudLinux always takes responsibility and are some of the most dedicated developers we have interacted with. Kudos to them!

Vendor Contact Timeline:

2015-06-26: Vendor contacted via email.
2015-06-26: Vendor confirms vulnerability.
2015-07-02: Vendor issues update.
2015-07-05: RACK911 Labs issues advisory.

SolusVM – Edit DNS Stored XSS Vulnerability (R911-0180)

June 13th, 2015

Type: Stored XSS
Location: Remote
Impact: Low
Product: SolusVM
Website: http://www.solusvm.com
Vulnerable Version: 1.16.10
Fixed Version: 1.16.11
CVE: -
R911: 0180
Date: 2015-06-13
By: RACK911 Labs

[B]Product Description:

Solus Virtual Manager (SolusVM) is a powerful GUI based VPS management system with full OpenVZ, Linux KVM, Xen Paravirtualization and Xen HVM support. SolusVM allows you and your clients to manage a VPS cluster with security & ease.

[B]Vulnerability Description:

Due to user input not being sanitized, it is possible for a malicious user to embed HTML code within the Edit DNS feature (PowerDNS) that can then be turned into an XSS vulnerability.

[B]Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that the DEFAULT settings have proper protection to reduce the risk of an admin level compromise.

[B]Vulnerable Version:

This vulnerability was tested against SolusVM 1.16.10 and is believed to exist in all versions prior to the fixed builds below.

[B]Fixed Version:

This vulnerability was patched in SolusVM 1.16.11.

[B]Vendor Contact Timeline:

2015-06-10: Vendor contacted via email.
2015-06-10: Vendor confirms vulnerability.
2015-06-11: Vendor issues updates to all builds.
2015-06-13: RACK911 Labs issues security advisory.

SolusVM – Reseller Panel Arbitrary Command Execution (R911-0179)

June 13th, 2015

Type: Arbitrary Command Execution
Location: Remote
Impact: High
Product: SolusVM
Website: http://www.solusvm.com
Vulnerable Version: 1.16.10
Fixed Version: 1.16.11
CVE: -
R911: 0179
Date: 2015-06-13
By: RACK911 Labs

[B]Product Description:

Solus Virtual Manager (SolusVM) is a powerful GUI based VPS management system with full OpenVZ, Linux KVM, Xen Paravirtualization and Xen HVM support. SolusVM allows you and your clients to manage a VPS cluster with security & ease.

[B]Vulnerability Description:

Due to user input not being sanitized, it is possible for a malicious reseller to run arbitrary commands on the master node as the root user.

[B]Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

[B]Vulnerable Version:

This vulnerability was tested against SolusVM 1.16.10 and is believed to exist in all versions prior to the fixed builds below.

[B]Fixed Version:

This vulnerability was patched in SolusVM 1.16.11.

[B]Vendor Contact Timeline:

2015-06-10: Vendor contacted via email.
2015-06-10: Vendor confirms vulnerability.
2015-06-11: Vendor issues updates to all builds.
2015-06-13: RACK911 Labs issues security advisory.

Vision HelpDesk – Various Modules Local File Inclusions (R911-0178)

May 23rd, 2015

Type: Local File Inclusion(s)
Location: Local
Impact: High
Product: Vision HelpDesk
Website: https://www.visionhelpdesk.com
Vulnerable Version: All prior versions.
Fixed Version: 4.1.2
CVE: -
R911: 0178
Date: 2015-05-23
By: RACK911 Labs

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There are various modules within the Vision HelpDesk that suffer from your typical local file inclusion that could lead to a compromise under certain circumstances. Most of the risk would be if the software was installed in a shared hosting environment which is a high probability as it is bundled with the popular Softaculous one-click installer.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the entire help desk can be compromised if this vulnerability were successfully exploited.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 4.0.2 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 4.1.2.

Vendor Contact Timeline:

2015-05-17: Vendor contacted via email.
2015-05-17: Vendor confirms vulnerability.
2015-05-23: Vendor issues updates to all builds.
2015-05-23: RACK911 Labs issues security advisory.

Vision HelpDesk – User Images Input Validation Failure (R911-0177)

May 23rd, 2015

Type: Input Validation Failure
Location: Remote
Impact: Low
Product: Vision HelpDesk
Website: https://www.visionhelpdesk.com
Vulnerable Version: All prior versions.
Fixed Version: 4.1.2
CVE: -
R911: 0177
Date: 2015-05-23
By: RACK911 Labs

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

Due to an input validation failure, it is possible for a malicious user to remove the profile images belonging to other users without authorization.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that no sensitive information can be obtained if this vulnerability were to be exploited.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 4.0.2 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 4.1.2.

Vendor Contact Timeline:

2015-05-17: Vendor contacted via email.
2015-05-17: Vendor confirms vulnerability.
2015-05-23: Vendor issues updates to all builds.
2015-05-23: RACK911 Labs issues security advisory.

Vision HelpDesk 4 – Client Area XSS Vulnerabilities (R911-0176)

May 1st, 2015

Type: XSS
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 4.0.0
Fixed Version: 4.0.2
CVE: -
R911: 176
Date: 2015-05-01
By: RACK911 Labs

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There are numerous fields within the client area that accept HTML code that allows XSS attacks to be performed against staff when logged into the admin panel. The possibility to hijack an admin account by stealing cookies via an XSS attack is a real threat.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that staff / admin accounts can be hijacked.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 4.0.0 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 4.0.2.

Vendor Contact Timeline:

2015-04-22: Vendor contacted via email.
2015-04-23: Vendor confirms vulnerability.
2015-05-01: Vendor issues updates to all builds.
2015-05-01: RACK911 Labs issues security advisory.

IP.Board 3.3.x & 3.4.x – Messenger Directories Input Validation Failure (R911-0175)

May 1st, 2015

Type: Input Validation
Location: Remote
Impact: High
Product: IP.Board
Website: https://www.invisionpower.com/apps/board/
Vulnerable Version: 3.3.x & 3.4.x
CVE: -
R911: 0175
Date: 2015-05-01
By: RACK911 Labs

Product Description:

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available.

Vulnerability Description:

Due to an input validation failure, it is possible for a malicious user to remove / add any message directory belonging to another user.

Impact:

We have deemed this vulnerability to be rated HIGH due to the fact that a malicious user can incrementally go through an IP.Board site and wipe out the default directory for messages.

Vulnerable Version:

This vulnerability was tested against IP.Board 3.4.7 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in IP.Board 3.3.x & 3.4.x which can be downloaded from the vendors website:

http://community.invisionpower.com/blogs/entry/9729-ipboard-33x-34x-security-update/

Vendor Contact Timeline:

2015-04-23: Vendor contacted via email.
2015-04-24: Vendor confirms vulnerability.
2015-05-01: Vendor issues patches.
2015-05-01: RACK911 Labs issues security advisory.