Archive for June, 2013

Zamfoo – ACL Bypass (R911-0025)

Monday, June 17th, 2013

Type: Privilege Escalation
Impact: Critical
Product: Zamfoo
Website: http://www.zamfoo.com
Vulnerable Version: v11.7
Fixed Version: -
CVE: -
R911: 0025
Date: 2013-06-17
By: http://www.rack911.com

Product Description:

The ZamFoo software suite is a series of WHM plugin modules (also known as WHM addon modules) catered towards easing the burden of web hosting providers that sell shared hosting solutions using the Cpanel and WHM hosting platform. Hundreds of companies use our software to create Alpha WHM and create Master WHM hosting accounts.

Vulnerability Description:

Due to a series of ACL failures, a reseller user can access numerous files belonging to Zamfoo under WHM to tamper with various settings designed for root and in some cases render the server inoperable.

Proof of Concept:

Another security researcher has already issued a working proof of concept, so we do not see the need to include one in this advisory.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can render the server (ssh / su) inoperable by removing the limits.conf file.

Vulnerable Version:

This vulnerability was tested against Zamfoo v11.7 and is believed to exist in all versions.

Fixed Version:

It took the developer two weeks to come up with a patch and we have determined that the patch does not work and that this flaw is still present in the software. Additionally, it has been brought to our attention that several more root level exploits are present in Zamfoo so we must urge everyone to uninstall this software:

cd /root
wget http://www.zamfoo.com/downloads/zamfoo_uninstaller.tar
tar -xvf zamfoo_uninstaller.tar
chmod +x uninstall.cgi
./uninstall.cgi

Just to be sure:

rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo

Vendor Contact Timeline:

2013-05-31: Vendor contacted via email.
2013-06-03: Vendor contacted via email again.
2013-06-03: Vendor confirms vulnerability.
2013-06-13: Vendor contacted via email seeking update.
2013-06-13: Vendor states a patch is “to be” worked on,
2013-06-13: Rack911 issues warning to disable software.
2013-06-13: Vendor threatens to sue.
2013-06-15: Vendor issues patch two weeks from initial contact.
2013-06-15: Rack911 defeats patch within 5 minutes.
2013-06-17: Rack911 issues a general security advisory.

CloudLinux – Privilege Escalation (R911-0024)

Monday, June 17th, 2013

Type: Privilege Escalation
Impact: Critical
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: LVE Manager 0.6-10
Fixed Version: LVE Manager 0.6-11
CVE: -
R911: 0024
Date: 2013-06-17
By: http://www.rack911.com

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an ACL failure an attacker can access a certain function of CloudLinux that was intended only for the root user. The attacker can then manipulate the function due to a failure to sanitize input and run commands as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against CloudLinux LVE Manager 0.6-10 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux LVE Manager 0.6-11.

Vendor Contact Timeline:

2013-06-04: Vendor contacted via email.
2013-06-04: Vendor confirms vulnerability.
2013-06-05: Vendor issues update.
2013-06-17: Rack911 issues security advisory.

CloudLinux – Content Destruction (R911-0023)

Monday, June 17th, 2013

Type: Content Destruction
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: LVE Manager 0.6-10
Fixed Version: LVE Manager 0.6-11
CVE: -
R911: 0023
Date: 2013-06-17
By: http://www.rack911.com

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

CloudLinux is vulnerable to a hardlink attack in the CageFS function when executed under ideal circumstances that would allow an attacker to overwrite any file on the server.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be overwritten which could potentially leave a server inoperable.

Vulnerable Version:

This vulnerability was tested against CloudLinux LVE Manager 0.6-10 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux LVE Manager 0.6-11.

Vendor Contact Timeline:

2013-06-04: Vendor contacted via email.
2013-06-04: Vendor confirms vulnerability.
2013-06-05: Vendor issues update.
2013-06-17: Rack911 issues security advisory.

cPanel – Content Manipulation (R911-0021)

Tuesday, June 11th, 2013

Type: Content Manipulation
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.38.0.15, 11.36.1.8, 11.34.1.18 & 11.32.6.7.
CVE: -
R911: 0021
Date: 2013-06-11
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within WHM that allows an attacker to access a file used by the locale function that would allow them to modify certain content and possibly elevate privileges.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root owned content can be modified.

Vulnerable Version:

This vulnerability was tested against cPanel (WHM) v11.36.1.5 and v11.38.0.13 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in cPanel v11.38.0.15, v11.36.1.8, v11.34.1.18 & v11.32.6.7.

Vendor Contact Timeline:

2013-05-16: Vendor contacted via email.
2013-05-17: Vendor confirms vulnerability.
2013-06-05: Vendor issues updates to all builds.
2013-06-11: Rack911 issues security advisory.

WHMSonic – Privilege Escalation (R911-0020)

Monday, June 10th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: WHMSonic
Website: http://www.whmsonic.com
Vulnerable Version: v2.1.9
Fixed Version: v2.1.9 (Hot Fix)
CVE: -
R911: 0020
Date: 2013-06-10
By: http://www.rack911.com

Product Description:

WHMSonic is a popular WHM/cPanel plugin(shoutcast control panel), intended on making your life easier. You can install it in seconds and it allows you to offer shoutcast streaming media hosting, AutoDJ, radio reseller from your Dedicated or VPS server.

Vulnerability Description:

There is a flaw within the AutoDJ Playlist Manager that allows an attacker logged in as a reseller to manipulate WHMSonic to run commands as root.

Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMSonic v2.1.9.

Fixed Version:

This vulnerability was patched in WHMSonic v2.1.9 (Hot Fix) update.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-23: Vendor confirms vulnerability.
2013-05-23: Vendor issues v2.1.9 (Hot Fix) update.
2013-06-10: Rack911 issues security advisory.

WHMSonic – ACL Bypass (Root Access) (R911-0019)

Monday, June 10th, 2013

Type: ACL Bypass (Root Access)
Location: Local
Impact: High
Product: WHMSonic
Website: http://www.whmsonic.com
Vulnerable Version: v2.1.9
Fixed Version: v2.1.9 (Hot Fix)
CVE: -
R911: 0019
Date: 2013-06-10
By: http://www.rack911.com

Product Description:

WHMSonic is a popular WHM/cPanel plugin(shoutcast control panel), intended on making your life easier. You can install it in seconds and it allows you to offer shoutcast streaming media hosting, AutoDJ, radio reseller from your Dedicated or VPS server.

Vulnerability Description:

There are multiple files accessible under WHMSonic by a reseller that should not be permitted. Access to these files can allow a wide range of changes to the overall configuration of WHMSonic and interfere with other users.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can access certain functions intended for the root user.

Vulnerable Version:

This vulnerability was tested against WHMSonic v2.1.9.

Fixed Version:

This vulnerability was patched in WHMSonic v2.1.9 (Hot Fix) update.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-23: Vendor confirms vulnerability.
2013-05-23: Vendor issues v2.1.9 (Hot Fix) update.
2013-06-10: Rack911 issues security advisory.

Installatron – Privilege Escalation (R911-0018)

Monday, June 10th, 2013

Type: Privilege Escalation
Impact: Critical
Product: Installatron
Website: http://www.installatron.com
Vulnerable Version: v8.0.13
Fixed Version: v8.0.14
CVE: -
R911: 0018
Date: 2013-06-10
By: http://www.rack911.com

Product Description:

Installatron is a turn-key, state-of-the-art web application automation solution (also known as an auto installer or script installer) for web hosting control panel platforms.

Once installed on a control panel server, Installatron’s powerful, easy-to-use user-interface integrates seamlessly, enabling instant, one-click installs and upgrades, backups and restores, and other advanced features for a premier collection of only the best applications on the web.

Vulnerability Description:

There is a flaw within the Import feature of Installatron that allows an attacker to run commands as root. An attacker would then be able to set the necessary privileges and ownership of a carefully crafted file to gain access to a root shell.

Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against Installatron v8.0.13.

Fixed Version:

This vulnerability was patched in Installatron v8.0.14.

Vendor Contact Timeline:

2013-05-29: Vendor contacted via email.
2013-05-29: Vendor confirms vulnerability.
2013-05-29: Vendor issues v8.0.14 update.
2013-06-10: Rack911 issues security advisory.

WHMreseller – Privilege Escalation (R911-0017)

Thursday, June 6th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: WHMreseller
Website: http://www.deasoft.com/whmreseller.php
Vulnerable Version: v1.4
Fixed Version: v1.4.112
CVE: -
R911: 0017
Date: 2013-06-07
By: http://www.rack911.com

Product Description:

WHMreseller is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas, assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a flaw within the Remove IP from CSF Firewall feature that allows an attacker to manipulate WHMreseller to run commands as root via a normal reseller account.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMreseller v1.4.

Fixed Version:

This vulnerability was patched in WHMreseller v1.4.112.

Vendor Contact Timeline:

2013-05-24: Vendor contacted via email.
2013-05-29: Vendor confirms vulnerability.
2013-05-29: Vendor issues v1.4.112 update.
2013-06-07: Rack911 issues security advisory.

UNIXY cPanel Varnish – Privilege Escalation (R911-0015)

Wednesday, June 5th, 2013

Type: Privilege Escalation
Impact: Critical
Product: UNIXY cPanel Varnish
Website: http://www.unixy.net
Vulnerable Version: 1.8.0-4
Fixed Version: 1.8.0-5
CVE: -
R911: 0015
Date: 2013-06-02
By: http://www.rack911.com

Product Description:

The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!

Vulnerability Description:

Due to an ACL bypass and failure to sanitize input, the UNIXY cPanel Varnish plugin is vulnerable to a privilege escalation through the Advanced Configuration page by a malicious reseller user that would allow them to gain root access.

Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Important Note:

It’s worth noting that the developer of this software decided to blame the exploit on the fact that PHP should never be allowed under WHM for resellers. While it is true that the feature is disabled by default on new cPanel installs, there are several commonly used plugins that enable it and that running PHP under WHM is no more dangerous than the default CGI because both run as root.

It is ignorant and frankly stupid to make up excuses for poor coding practices. Whether this flaw affects 1% or 100% of users, it is still a serious flaw that should never have been allowed to happen in the first place. We also can’t help but find amusement in the fact that the developer offers a “no hack guarantee” for their customers yet can’t even secure their own software…

Vulnerable Version:

This vulnerability was tested against UNIXY cPanel Varnish 1.8.0-4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in UNIXY cPanel Varnish 1.8.0-5.

Vendor Contact Timeline:

2013-05-30: Vendor contacted via email.
2013-05-30: Vendor confirms vulnerability.
2013-06-01: Vendor issues v1.8.0-5 update.
2013-06-02: Rack911 issues security advisory.

WHMXtra – Privilege Escalation (R911-0014)

Monday, June 3rd, 2013

Type: Privilege Escalation
Impact: Critical
Product: WHMXtra
Website: http://www.whmxtra.com
Vulnerable Version: G2 v2.4
Fixed Version: G2 v2.5
CVE: -
R911: 0014
Date: 2013-05-29
By: http://www.rack911.com

Product Description:

WHMXtra can install FFMPEG, firewalls, ddos protection, fix mysql issues, search for illegal files or processes, monitor your server and much much more. Browse the entire server filesystem via one of our built in file managers, upload/download files, create multiple accounts, check memory and CPU usage and even get tips on improving your servers performance.

Vulnerability Description:

There is a world writable directory that will allow an attacker to create a carefully crafted file that will ultimately lead to a root shell.

Note: This flaw is allowed to exist because of a fundamental security failure within WHM that executes all plugins as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMXtra G2 v2.4.

Fixed Version:

This vulnerability was patched in WHMXtra G2 v2.5.

Vendor Contact Timeline:

2013-05-29: Vendor contacted via email.
2013-05-29: Vendor confirms vulnerability.
2013-05-30: Vendor issues v2.5 update.
2013-05-31: Rack911 issues security advisory.