Archive for August, 2013

CloudLinux – Arbitrary Command Execution (Plesk) (R911-0060)

Friday, August 30th, 2013

Type: Arbitrary Command Execution (Plesk)
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CVE: -
R911: 0060
Date: 2013-08-30
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an ACL failure users can access the admin CageFS feature of CloudLinux for Plesk that allows an attacker to run commands as the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.

Vendor Contact Timeline:

2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.

CloudLinux – Arbitrary Command Execution (Plesk) (R911-0059)

Friday, August 30th, 2013

Type: Arbitrary Command Execution (Plesk)
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CVE: -
R911: 0059
Date: 2013-08-30
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an ACL failure users can access the admin chart.php feature of CloudLinux for Plesk that allows an attacker to run commands as the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.

Vendor Contact Timeline:

2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.

CloudLinux – Arbitrary Command Execution (Plesk) (R911-0058)

Friday, August 30th, 2013

Type: Arbitrary Command Execution (Plesk)
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CVE: -
R911: 0058
Date: 2013-08-30
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

There is a flaw within the PHP Selector feature of CloudLinux for Plesk that allows an attacker to run commands as the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.

Vendor Contact Timeline:

2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.

CloudLinux – Arbitrary File Access (Plesk) (R911-0057)

Friday, August 30th, 2013

Type: Arbitrary File Access (Plesk)
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CVE: -
R911: 0057
Date: 2013-08-30
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

There is a flaw within the Resource Usage feature of CloudLinux for Plesk that allows an attacker to open any file owned by the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.

Vendor Contact Timeline:

2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.

cPanel – Insecure Credential Storage (R911-0056)

Thursday, August 29th, 2013

Type: Insecure Credential Storage
Location: Local
Impact: Low
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0056
Date: 2013-08-29
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

The /var/cpanel/sessions directory stored both user and root credentials in plain-text which could, under certain circumstances, allow a malicious administrator to view the details. Should a malicious administrator and/or someone compromise the server they would be able to monitor that directory and build a list of plain-text credentials which could be used elsewhere as users often use reuse the same password.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that the file can only be viewed by an administrator. This is more of a “hardening” measure.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-07-23: Vendor contacted via email.
2013-08-01: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.

cPanel – Arbitrary File Access (R911-0055)

Thursday, August 29th, 2013

Type: Arbitrary File Access
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0055
Date: 2013-08-29
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the Rearrange an Account feature that can be made available to resellers that would ultimately allow an attacker to read any file on the server regardless of ownership. There are several files on a cPanel server that will disclose the root password in plain-text making this a root level exploit.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-07-20: Vendor contacted via email.
2013-08-01: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.

cPanel – Denial of Service (R911-0054)

Thursday, August 29th, 2013

Type: Denial of Service
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0054
Date: 2013-08-29
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

A malicious user can inject data into httpd.conf using either the Addon Domain or Subdomain Feature from within cPanel that could ultimately break Apache (HTTPD) and prevent it from starting.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the web server can be rendered inoperable.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-07-19: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.

cPanel – Account Suspension Manipulation (R911-0053)

Thursday, August 29th, 2013

Type: Account Suspension Manipulation
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0053
Date: 2013-08-29
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the un-suspend function of WHM that allows a reseller to activate any email and/or webdav (web disk) account on the server that was suspended.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that email and/or webdav accounts can be un-suspended, however, the attacker must know the target username.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.2.2 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-08-01: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.

cPanel – Upload Locale Function Privilege Escalation (R911-0052)

Thursday, August 29th, 2013

Type: Privilege Escalation
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0052
Date: 2013-08-29
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the Upload Locale XML feature available to resellers that could allow an attacker to inject data into any file on the server regardless of ownership thus giving themselves root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-08-01: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.

cPanel – Account Transfer Insecure File Permissions (R911-0051)

Thursday, August 29th, 2013

Type: Insecure File Permissions
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3
CVE: -
R911: 0051
Date: 2013-08-29
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

When an account is being transferred over from a remote erver, it is temporarily stored under the /home directory with 644 file persmissions that could allow an attacker to make a copy of it thus obtaining data belonging to the other account.

It would be trivial for an attacker to run a cron job that looks for a certain process running that divulges the username of an account currently being transferred over to automate the whole process of stealing the data.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that any transferred account can have it’s data stolen.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.13 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.15, 11.38.2.6, 11.36.2.3, 11.34.2.4 & 11.32.7.3.

Vendor Contact Timeline:

2013-07-17: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-27: Vendor issues updates to all builds.
2013-08-29: Rack911 issues security advisory.