SpamExperts (cPanel Plugin) – Arbitrary File Overwrite (R911-0163)

Type: Arbitrary File Overwrite
Location: Local
Impact: High
Product: SpamExperts (cPanel Plugin)
Website: http://www.spamexperts.com/
Vulnerable Version: All builds prior to fixed.
Fixed Version: 3.0.68547
CVE: -
R911: 0163
Date: 2014-06-25
By: RACK911

Product Description

SpamExperts delivers managed email security in the cloud or on premises, tailored for webhosts: Incoming -, outgoing email filtering, and email archiving. Reduce churn, increase revenue, be 100% secure! Full API & standard integration and automation plugins for cPanel, Parallels products, DirectAdmin; Redundant, synchronized, and scalable; 4-Tier control panel; multi-level branding options; 24/7 support & SLAs; Fast release cycles and frequent updates!

Vulnerability Description

Due to an arbitrary file overwrite vulnerability, it is possible for an attacker to overwrite / create any file on the server and ultimately perform a privilege escalation that could allow them to obtain root access. This flaw is present within the cPanel plugin for SpamExperts.

Impact

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained by creating /var/cpanel/skipparentcheck and then using the SpamExperts getconfig64 SUID binary to obtain the root access hash.

Vulnerable Version

This vulnerability is believed to be present in all builds prior to the fixed version.

Fixed Version

This vulnerability was patched in SpamExperts (cPanel Plugin) 3.0.68547.

Vendor Contact Timeline

2014-06-16: Vendor contacted.
2014-06-16: Vendor confirms vulnerability.
2014-06-21: Vendor issues update to plugin.
2014-06-25: Rack911 issues security advisory.