Archive for June, 2013

CloudLinux vs BetterLinux Security (Default Settings)

Friday, June 28th, 2013

Here is a comparison of CloudLinux vs BetterLinux with default settings to show the differences in terms of security. We have chosen to leave the default settings intact because as a lot of you know, some people simply cannot be bothered to read a manual and make the necessary changes.

For test purposes, we have created two new cPanel accounts one called “cloud” which represents CloudLinux + CageFS and the other one called “better” which represents BetterLinux + CloakFS. Both users are using a standard bash shell, not the cPanel Jailshell.

The first comparison will be how well processes are isolated from the rest of the system and other users. Let’s take a look and see how many processes each user can view.

cloud@cl [~]# ps aux | wc -l
6
cloud@cl [~]#

CloudLinux: 6 processes.

better@bl [~]# ps aux | wc -l
114
better@bl [~]#

BetterLinux: 114 processes.

Thoughts:

With CloudLinux, users are only able to see their own processes and they are not able to see any root owned processes or processes belonging to other hosting users. BetterLinux on the other hand allows the user to see every root owned process and everything else outside of other hosting users. (We have found previous exploits that were time based and CloudLinux prevented them, but BetterLinux would not in this case. There is no reason to allow users to see other processes!)

The next comparison will be to see what directories the users have access to. This test was done via SSH but the same conditions would apply for cron jobs which is another one of our favourite exploit techniques when we cannot use SSH access.

cloud@cl [~]# ls /
./ ../ bin/ dev/ etc/ home/ lib/ lib64/ opt/ proc/ sbin/ scripts@ tmp/ usr/ var/
cloud@cl [~]#

better@bl [~]# ls /
./ .autofsck base/ boot/ cgroups_cpuset/ etc/ lib/ lost+found/ mnt/ proc/ sbin/ selinux/ sys/ usr/
../ .autorelabel bin/ cgroups_blockio/ dev/ home/ lib64/ media/ opt/ root/ scripts@ srv/ tmp/ var/
better@bl [~]#

Thoughts:

With CloudLinux, users see a heavily modified file system structure that is basically a jailed environment with the bare minimum files and directories available for access. BetterLinux on the other hand allows the user to see every directory and every file. (Both prevent access to view files owned by other hosting users.)

The next comparison will be to see what files can be viewed by the users. While obviously nothing dangerous can be viewed, one ultimately wants to mitigate how much information is made available to untrusted users. The less information the better!

cloud@cl [~]# cat /etc/passwd | tail -n5
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:498:499:MySQL server:/var/lib/mysql:/bin/bash
cloud:x:617:616::/home/cloud:/bin/bash
cloud@cl [~]#

better@bl [~]# cat /etc/passwd | tail -n5
hax1:x:501:502::/home/hax1:/bin/bash
hax2:x:502:503::/home/hax2:/bin/bash
hax3:x:503:504::/home/hax3:/usr/local/cpanel/bin/noshell
hax4:x:504:505::/home/hax4:/usr/local/cpanel/bin/noshell
better:x:505:506::/home/better:/bin/bash
better@bl [~]#

Thoughts:

With CloudLinux users are only able to see system users and their own account under /etc/passwd, whereas BetterLinux lists every other hosting user on the server. If you’re a malicious user and trying to gather a list of other accounts to attack or just gather information for other purposes, having the ability to list /etc/passwd would be extremely helpful.

cloud@cl [~]# cat /etc/named.conf
cat: /etc/named.conf: No such file or directory
cloud@cl [~]#

better@bl [~]# cat /etc/named.conf | wc -l
181
better@bl [~]#

Thoughts:

With CloudLinux users are not able to view the named configuration file, whereas BetterLinux allows the user to view the file in all it’s glory which would ultimately list every domain configured on the server or being used in a DNS cluster. (This is sensitive information that does not need to be viewable to the user.)

cloud@cl [~]# find /var/log -perm 644
cloud@cl [~]#

better@bl [~]# find /var/log -perm 644
/var/log/dmesg
/var/log/chkservd.log
/var/log/xferlog.offsetftpsep
/var/log/bandwidth/current
/var/log/bandwidth/version
/var/log/bandwidth/ipmap
/var/log/bandwidth/2013/Jun/27
/var/log/bandwidth/2013/Jun/28
/var/log/bandwidth/lasttime
/var/log/sa/sar27
/var/log/sa/sa28
/var/log/sa/sa27
/var/log/boot.log
/var/log/dracut.log
/var/log/cpanel-install.log
/var/log/lastlog
/var/log/xferlog.offset
/var/log/dmesg.old
better@bl [~]#

Thoughts:

With CloudLinux users cannot see any log files, whereas BetterLinux allows the user to see a handful of files which could ultimately contain information that is helpful to an attacker. Particularly the dmesg logs and last logs. (The last command doesn’t even work with CloudLinux, whereas BetterLinux will show the last users + their IP addresses that recently logged in.)

The final comparison will be the most important one. Which software will stop an attacker from exploiting a SUID binary to ultimately gain root access on the server. So many of our security vulnerabilities work with SUID binaries, so it is extremely important for us to use software that prohibits allowing a normal user to escalate their privileges.

For test purposes, the exploit file was created by us but it’s still a real world example. Just be hypothetical and replace “exploit” with “exim” which has the SUID flags set and is executable by the user. If there were ever to be an exploit in Exim, the following scenario would still apply.

cloud@cl [~]# ls -la exploit
-rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
cloud@cl [~]# ./exploit
cloud@cl [~]# id
uid=617(cloud) gid=616(cloud) groups=616(cloud)
cloud@cl [~]#

better@bl [~]# ls -la exploit
-rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
better@bl [~]# ./exploit
root@bl [~]# id
uid=0(root) gid=0(root) groups=0(root)
root@bl [~]#

Thoughts:

With CloudLinux, a user cannot elevate their privileges thus stopping the exploit dead in its tracks. BetterLinux on the other hand allowed the exploit to run which ultimately lead to a root compromise. Keeping in mind this is a default setup between the two, it is absolutely insane for BetterLinux to not have SUID protection enabled by default.

WHMXtra – Privilege Escalation #2 (R911-0034)

Wednesday, June 26th, 2013

Type: Privilege Escalation
Impact: Critical
Product: WHMXtra
Website: http://www.whmxtra.com
Vulnerable Version: G2 v2.6 and earlier.
Fixed Version: G2 v2.7
CVE: -
R911: 0034
Date: 2013-06-26
By: http://www.rack911.com

Product Description:

WHMXtra can install FFMPEG, firewalls, ddos protection, fix mysql issues, search for illegal files or processes, monitor your server and much much more. Browse the entire server filesystem via one of our built in file managers, upload/download files, create multiple accounts, check memory and CPU usage and even get tips on improving your servers performance.

Vulnerability Description:

For some un-explainable reason, WHMXtra modifies the sudo permissions to allow anyone to use chown or chmod as root which would ultimately allow the attacker to give themselves root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMXtra G2 v2.6 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in WHMXtra G2 v2.7.

Vendor Contact Timeline:

2013-06-12: Vendor contacted via email.
2013-06-12: Vendor confirms vulnerability.
2013-06-12: Vendor issues G2 v2.7 update.
2013-06-26: Rack911 issues security advisory.

RVSkin – Privilege Escalation (R911-0033)

Monday, June 24th, 2013

Type: Privilege Escalation
Impact: Medium
Product: RVSkin
Website: http://www.rvskin.com
Vulnerable Version: v10.77
Fixed Version: v10.78
CVE: -
R911: 0033
Date: 2013-06-24
By: http://www.rack911.com

Product Description:

RVSkin is an advance skin to use in web server control panel. A skin software provides multi-language, multi-theme, and many intelligent features to bring your unique interface differentiates your business. It’s easy to use, worth for investment.

Vulnerability Description:

There is a privilege escalation present in RVSkin due to incorrect environment handling within the rvwrapper binary that allows an attacker to modify other cPanel accounts. This flaw is allowed to exist because rvwrapper is SUID to securervskin which can read the root WHM access key.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that users can make unauthorized changes to other cPanel accounts.

Vulnerable Version:

This vulnerability was tested against RVSkin v10.77.

Fixed Version:

This vulnerability was patched in RVSkin v10.78.

Vendor Contact Timeline:

2013-06-04: Vendor contacted via email.
2013-06-04: Vendor confirms vulnerability.
2013-06-04: Vendor issues update.
2013-06-24: Rack911 issues security advisory.

RVSiteBuilder – Content Manipulation (Root Access) (R911-0032)

Monday, June 24th, 2013

Type: Content Manipulation (Root Access)
Impact: High
Product: RVSiteBuilder
Website: http://www.rvsitebuilder.com
Vulnerable Version: 5.0.31
Fixed Version: 5.0.33
CVE: -
R911: 0032
Date: 2013-06-24
By: http://www.rack911.com

Product Description:

RVSiteBuilder is browser based sitebuilding software that installs directly into cPanel. Its easy-to-follow workflow, social media plugins, and robust content management features makes it easy for even non-programmers to create, market, and maintain a high-end web presence.

Vulnerability Description:

There is a flaw within RVSiteBuilder that allows an attacker to perform a symlink attack against certain files that will then be overwritten and have the ownership changed to the user.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be deleted and/or ownership changed that could lead to a root compromise.

Vulnerable Version:

This vulnerability was tested against RVSiteBuilder v5.0.31 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSiteBuilder v5.0.33.

Vendor Contact Timeline:

2013-06-05: Vendor contacted via email.
2013-06-05: Vendor confirms vulnerability.
2013-06-17: Vendor issues update.
2013-06-24: Rack911 issues security advisory.

RVSiteBuilder – Content Disclosure (Root Access) (R911-0031)

Monday, June 24th, 2013

Type: Content Disclosure (Root Access)
Impact: High
Product: RVSiteBuilder
Website: http://www.rvsitebuilder.com
Vulnerable Version: 5.0.31
Fixed Version: 5.0.33
CVE: -
R911: 0031
Date: 2013-06-24
By: http://www.rack911.com

Product Description:

RVSiteBuilder is browser based sitebuilding software that installs directly into cPanel. Its easy-to-follow workflow, social media plugins, and robust content management features makes it easy for even non-programmers to create, market, and maintain a high-end web presence.

Vulnerability Description:

There is a flaw within a certain RVSiteBuilder file that is accessible to resellers that allows an attacker to read any file on the server regardless of ownership when using a hardlink to the target file.

Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow.

Vulnerable Version:

This vulnerability was tested against RVSiteBuilder v5.0.31 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSiteBuilder v5.0.33.

Vendor Contact Timeline:

2013-06-05: Vendor contacted via email.
2013-06-05: Vendor confirms vulnerability.
2013-06-17: Vendor issues update.
2013-06-24: Rack911 issues security advisory.

Virtualizor – Privilege Escalation (R911-0030)

Monday, June 24th, 2013

Type: Privilege Escalation
Impact: High
Product: Virtualizor
Website: http://www.virtualizor.com
Vulnerable Version: 2.3.0
Fixed Version: 2.3.1
CVE: -
R911: 0030
Date: 2013-06-24
By: http://www.safeornot.net / http://www.rack911.com

Product Description:

Virualizor is a powerful web based VPS Control Panel. It supports OpenVZ, Xen PV, Xen HVM and Linux KVM virtualization. Admins can create a VPS on the fly by the click of a button VPS users can start, stop, restart and manage their VPS using a very advanced web based GUI.

Vulnerability Description:

Virtualizor suffers from an SQL injection that allows an attacker to escalate their privileges to gain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can obtain root access.

Vulnerable Version:

This vulnerability was tested against Virtualizor v2.3.0 is believed to exist in all prior versions.

Fixed Version:

This vulnerability was fixed in Virtualizor v2.3.1.

Vendor Contact Timeline:

2013-06-21: Vendor contacted via email.
2013-06-21: Vendor confirms vulnerability.
2013-06-21: Vendor issues 2.3.1 update.
2013-06-24: Safe or Not / Rack911 issues security advisory.

Virtualizor – CSRF (Add Admin) (R911-0029)

Wednesday, June 19th, 2013

Type: CSRF (Add Admin)
Impact: High
Product: Virtualizor
Website: http://www.virtualizor.com/
Vulnerable Version: 2.2.9
Fixed Version: 2.3.0
CVE: -
R911: 0029
Date: 2013-06-19
By: http://www.rack911.com

Product Description:

Virualizor is a powerful web based VPS Control Panel. It supports OpenVZ, Xen PV, Xen HVM and Linux KVM virtualization. Admins can create a VPS on the fly by the click of a button VPS users can start, stop, restart and manage their VPS using a very advanced web based GUI.

Vulnerability Description:

A CSRF (Cross Site Request Forgery) exists in the default settings of Virtualizor that would allow an attacker to create a new administrator account should a legitimate administrator view a website containing the malicious code.

Proof of Concept:

Due to the nature of this vulnerability, we will not be releasing a POC until a much later date after everyone has updated.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user would be able to obtain administrative access.

Vulnerable Version:

This vulnerability was tested against Virtualizor v2.2.9.

Fixed Version:

This vulnerability was fixed in Virtualizor v2.3.0.

Vendor Contact Timeline:

2013-05-21: Vendor contacted via email.
2013-05-22: Vendor confirms vulnerability.
2013-06-13: Vendor issues 2.3.0 update.
2013-06-19: Rack911 issues security advisory.

DirectAdmin – Privilege Escalation #2 (R911-0028)

Wednesday, June 19th, 2013

Type: Privilege Escalation #2
Impact: Critical
Product: DirectAdmin
Website: http://www.directadmin.com
Vulnerable Version: v1.43
Fixed Version: v1.431
CVE: -
R911: 0028
Date: 2013-06-19
By: http://www.rack911.com

Product Description:

DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.

Vulnerability Description:

There is a flaw within the backup system when combined with the email account function that allows an attacker to use a symlink to gain ownership of any directory, including the /etc directory which would lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against DirectAdmin v1.43.

Fixed Version:

This vulnerability was patched in DirectAdmin v1.431.

Vendor Contact Timeline:

2013-06-09: Vendor contacted via email.
2013-06-10: Vendor confirms vulnerability.
2013-06-10: Vendor issues v1.431 #1 update.
2013-06-19: Rack911 issues security advisory.

DirectAdmin – Privilege Escalation #1 (R911-0027)

Wednesday, June 19th, 2013

Type: Privilege Escalation #1
Impact: Critical
Product: DirectAdmin
Website: http://www.directadmin.com
Vulnerable Version: v1.43
Fixed Version: v1.431
CVE: -
R911: 0027
Date: 2013-06-19
By: http://www.rack911.com

Product Description:

DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.

Vulnerability Description:

There is a flaw within the backup system that allows an attacker to use a carefully crafted symlink to overwrite any file on the server with their own content.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against DirectAdmin v1.43.

Fixed Version:

This vulnerability was patched in DirectAdmin v1.431.

Vendor Contact Timeline:

2013-06-16: Vendor contacted via email.
2013-06-17: Vendor confirms vulnerability.
2013-06-17: Vendor issues v1.431 #2 update.
2013-06-19: Rack911 issues security advisory.

Zamfoo – Privilege Escalation (R911-0026)

Monday, June 17th, 2013

Type: Privilege Escalation
Impact: Critical
Product: Zamfoo
Website: http://www.zamfoo.com
Vulnerable Version: v11.7
Fixed Version: -
CVE: -
R911: 0026
Date: 2013-06-17
By: http://www.rack911.com

Product Description:

The ZamFoo software suite is a series of WHM plugin modules (also known as WHM addon modules) catered towards easing the burden of web hosting providers that sell shared hosting solutions using the Cpanel and WHM hosting platform. Hundreds of companies use our software to create Alpha WHM and create Master WHM hosting accounts.

Vulnerability Description:

Due to a series of ACL failures and failing to sanitize input, a malicious reseller can access the restore feature under Zamfoo and using a certain URL have the software execute commands as root.

Proof of Concept:

Another security researcher has already issued a working proof of concept, so we do not see the need to include one in this advisory.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a reseller user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against Zamfoo v11.7 and is believed to exist in all versions.

Fixed Version:

It took the developer two weeks to come up with a patch and we have determined that the patch does not work and that this flaw is still present in the software. Additionally, it has been brought to our attention that several more root level exploits are present in Zamfoo so we must urge everyone to uninstall this software:

cd /root
wget http://www.zamfoo.com/downloads/zamfoo_uninstaller.tar
tar -xvf zamfoo_uninstaller.tar
chmod +x uninstall.cgi
./uninstall.cgi

Just to be sure:

rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo

Vendor Contact Timeline:

2013-05-31: Vendor contacted via email.
2013-06-03: Vendor contacted via email again.
2013-06-03: Vendor confirms vulnerability.
2013-06-13: Vendor contacted via email seeking update.
2013-06-13: Vendor states a patch is “to be” worked on,
2013-06-13: Rack911 issues warning to disable software.
2013-06-13: Vendor threatens to sue.
2013-06-15: Vendor issues patch two weeks from initial contact.
2013-06-15: Rack911 defeats patch within 5 minutes.
2013-06-17: Rack911 issues a general security advisory.