cPanel – Activate Remote Name Servers Arbitrary Command Execution (R911-0136)

Type: Arbitrary Command Execution
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0136
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is an arbitrary command execution within the activate_remote_nameservers.cgi feature when using the SoftLayer module and possibly also the VPS.NET module. The end result is that a reseller would be able to run any command as root which would ultimately lead to a privilege escalation. This exploit also includes an input validation failure.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-02-03: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.