Archive for September, 2013

WHMreseller – Privilege Escalation (R911-0074)

Monday, September 23rd, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: WHMreseller
Website: http://www.deasoft.com/whmreseller.php
Vulnerable Version: v4.119
Fixed Version: v4.127
CVE: -
R911: 0074
Date: 2013-09-23
By: Rack911

Product Description:

WHMreseller is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas, assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

A malicious reseller can upload a tainted backup archive that when restored would give the reseller “all” privileges which translates to root level access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root level access can be obtained.

Vulnerable Version:

This vulnerability was tested against WHMreseller v4.119 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in WHMreseller v4.127.

Vendor Contact Timeline:

2013-09-15: Vendor contacted via email.
2013-09-15: Vendor confirms vulnerability.
2013-09-20: Vendor issues v4.127 update.
2013-09-23: Rack911 issues security advisory.

WHMPHP – Arbitrary Command Execution (R911-0070)

Wednesday, September 18th, 2013

Type: Arbitrary Command Execution
Location: Local
Impact: High
Product: WHMPHP
Website: http://www.whmphp.com
Vulnerable Version: v6.4
Fixed Version: v6.5
CVE: -
R911: 0070
Date: 2013-09-18
By: Rack911

Product Description:

WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a flaw within the IP Unblocker (CSF) feature that allows an attacker to manipulate WHMPHP to run commands as root via a normal reseller account under WHM or a master reseller account under cPanel.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in WHMPHP 6.5.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-25: Vendor confirms vulnerability.
2013-05-25: Vendor issues update.
2013-09-18: Rack911 issues security advisory.

WHMPHP – Insecure Credential Storage (R911-0069)

Wednesday, September 18th, 2013

Type: Insecure Credential Storage
Location: Local
Impact: High
Product: WHMPHP
Website: http://www.whmphp.com
Vulnerable Version: v6.4
Fixed Version: v6.5
CVE: -
R911: 0069
Date: 2013-09-18
By: Rack911

Product Description:

WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a fundamental failure in how WHMPHP operates that allows any user on the server, regardless if they are master resellers or not to view the root access hash that would ultimately allow an
attacker the ability to perform any function as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can perform any tasks as root.

Vulnerable Version:

This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in WHMPHP 6.5.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-25: Vendor confirms vulnerability.
2013-08-31: Vendor issues update.
2013-09-18: Rack911 issues security advisory.

WHMPHP – Local File Inclusion (R911-0068)

Wednesday, September 18th, 2013

Type: File Inclusion
Location: Local
Impact: High
Product: WHMPHP
Website: http://www.whmphp.com
Vulnerable Version: v6.4
Fixed Version: v6.5
CVE: -
R911: 0068
Date: 2013-09-18
By: Rack911

Product Description:

WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

WHMPHP is vulnerable to a local file inclusion exploit that would allow a malicious reseller to run any PHP code which could ultimately lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious reseller can execute PHP code as root.

Vulnerable Version:

This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in WHMPHP 6.5.

Vendor Contact Timeline:

2013-09-13: Vendor contacted via email.
2013-09-13: Vendor confirms vulnerability.
2013-09-15: Vendor issues update.
2013-09-18: Rack911 issues security advisory.

WHMXtra (Reseller UI) – Local Race Condition Vulnerabilities (R911-0067)

Wednesday, September 11th, 2013

Type: Race Condition
Location: Local
Impact: High
Product: WHMXtra (Reseller UI)
Website: http://www.whmxtra.com/
Vulnerable Version: G2 3.5
Fixed Version: G2 3.7
CVE:
R911: 0067
Date: 2013-09-11
By: Rack911
Product Description:

WHMXtra is a unique addon module for cPanel servers, designed to turbo charge your WHM, adding many features you could normally only do via command line or not at all. Our cPanel Xtra Plugin adds even more functionality to your end users cPanel, saving your techs time and saving you money.

Vulnerability Description:

The reseller UI of WHMXtra is vulnerable to 3+ local race condition exploits that would allow an attacker to escalate their privileges to root access and/or damage system files.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained and any file can be modified regardless of ownership.

Vulnerable Version:

This vulnerability was tested against WHMXtra Reseller UI G2 v3.5.

Fixed Version:

This vulnerability was patched in WHMXtra Reseller UI G2 v3.7.

Vendor Contact Timeline:

2013-08-22: Vendor contacted via email.
2013-08-22: Vendor confirms vulnerability.
2013-08-31: Vendor issues update.
2013-09-11: Rack911 issues security advisory.

WHMXtra (Reseller UI) – Arbitrary Command Execution Vulnerabilities (R911-0066)

Wednesday, September 11th, 2013

Type: Arbitrary Command Execution
Location: Local
Impact: High
Product: WHMXtra (Reseller UI)
Website: http://www.whmxtra.com/
Vulnerable Version: G2 3.5
Fixed Version: G2 3.7
CVE:
R911: 0066
Date: 2013-09-11
By: Rack911

Product Description:

WHMXtra is a unique addon module for cPanel servers, designed to turbo charge your WHM, adding many features you could normally only do via command line or not at all. Our cPanel Xtra Plugin adds even more functionality to your end users cPanel, saving your techs time and saving you money.

Vulnerability Description:

The reseller UI of WHMXtra is vulnerable to 8+ arbitrary command execution exploits that would allow an attacker to escalate their privileges to root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against WHMXtra Reseller UI G2 v3.5.

Fixed Version:

This vulnerability was patched in WHMXtra Reseller UI G2 v3.7.

Vendor Contact Timeline:

2013-08-22: Vendor contacted via email.
2013-08-22: Vendor confirms vulnerability.
2013-08-31: Vendor issues update.
2013-09-11: Rack911 issues security advisory.

WHMreseller – Arbitrary File Access (R911-0065)

Wednesday, September 11th, 2013

Type: Arbitrary File Access
Location: Local
Impact: High
Product: WHMreseller
Website: http://www.deasoft.com/whmreseller.php
Vulnerable Version: v4.118
Fixed Version: v4.119
CVE: -
R911: 0065
Date: 2013-09-11
By: Rack911

Product Description:

WHMreseller is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas, assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a flaw within the Download Local Backup feature that allows an attacker to access any file regardless of ownership including the root access hash.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be accessed. Should the attacker target the root access hash, they would be able to use it to give themselves interactive root access by adding a specific SSH key.

Vulnerable Version:

This vulnerability was tested against WHMreseller v4.118 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in WHMreseller v4.119.

Vendor Contact Timeline:

2013-09-09: Vendor contacted via email.
2013-09-09: Vendor confirms vulnerability.
2013-09-10: Vendor issues v4.119 update.
2013-09-11: Rack911 issues security advisory.

RVSkin – Hardlink Local Privilege Escalation (R911-0064)

Tuesday, September 3rd, 2013

Type: Privilege Escalation
Location: Local
Impact: High
Product: RVSkin
Website: http://www.rvskin.com
Vulnerable Version: 10.83
Fixed Version: 10.84
CVE: -
R911: 0064
Date: 2013-09-03
By: Rack911

Product Description:

RVSkin is an advance skin to use in web server control panel. A skin software provides multi-language, multi-theme, and many intelligent features to bring your unique interface differentiates your business.

Vulnerability Description:

A reseller can create a malicious hardlink pointing to any file on the server and take control of that file once the nightly RVSkin update runs. The end result is that the attacker would be able to gain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against RVSkin v10.83 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSkin v10.84.

Vendor Contact Timeline:

2013-08-18: Vendor contacted via email.
2013-08-25: Vendor confirms vulnerability.
2013-09-02: Vendor issues update.
2013-09-03: Rack911 issues security advisory.

RVSkin – Hardlink Local Privilege Escalation (R911-0063)

Tuesday, September 3rd, 2013

Type: Privilege Escalation
Location: Local
Impact: High
Product: RVSkin
Website: http://www.rvskin.com
Vulnerable Version: 10.83
Fixed Version: 10.84
CVE: -
R911: 0063
Date: 2013-09-03
By: Rack911

Product Description:

RVSkin is an advance skin to use in web server control panel. A skin software provides multi-language, multi-theme, and many intelligent features to bring your unique interface differentiates your business.

Vulnerability Description:

A reseller can create a malicious hardlink pointing to any file on the server and take control of that file once they log into RVSkin via the WHM interface. The end result is that the attacker would be able to gain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against RVSkin v10.83 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSkin v10.84.

Vendor Contact Timeline:

2013-08-18: Vendor contacted via email.
2013-08-25: Vendor confirms vulnerability.
2013-09-02: Vendor issues update.
2013-09-03: Rack911 issues security advisory.

RVSiteBuilder – Hardlink Local Privilege Escalation (R911-0062)

Tuesday, September 3rd, 2013

Type: Privilege Escalation
Location: Local
Impact: High
Product: RVSiteBuilder
Website: http://www.rvsitebuilder.com
Vulnerable Version: 5.0.39
Fixed Version: 5.0.40
CVE: -
R911: 0062
Date: 2013-09-03
By: Rack911

Product Description:

RVSiteBuilder is browser based site building software that installs directly into cPanel. Its easy-to-follow workflow, social media plugins, and robust content management features makes it easy for even non-programmers to create, market, and maintain a high-end web presence.

Vulnerability Description:

A reseller can create a malicious hardlink pointing to any file on the server and take control of that file once the RVSiteBuilder setup is initiated. The end result is that the attacker would be able to gain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against RVSiteBuilder v5.0.39 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSiteBuilder v5.0.40.

Vendor Contact Timeline:

2013-08-18: Vendor contacted via email.
2013-08-25: Vendor confirms vulnerability.
2013-09-02: Vendor issues update.
2013-09-03: Rack911 issues security advisory.