Type: Privilege Escalation
Vulnerable Version: 4.2.1, 4.2.2 and 4.2.3
Fixed Version: 4.2.4
By: Rack911, Avi Brender (www.elitehosts.com), and streaky
Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.
An attacker can manipulate a SUID binary that is installed by Softaculous to escalate their privileges to root access.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that this exploit can lead to an instant root bind shell and can be executed by all users on the server – not just resellers. The exploit can also be executed via SSH, cron, CGI scripts and/or PHP scripts.
This vulnerability was tested against Softaculous v4.2.3 for cPanel but is also believed to exist under other control panels.
This vulnerability was patched in version v4.2.4.
Vendor Contact Timeline:
2013-05-07: Vendor contacted via email.
2013-05-07: Vendor confirms vulnerability.
2013-05-07: Vendor issues v4.2.4 update.
2013-05-07: Rack911 issues security advisory.