Zamfoo – Privilege Escalation (R911-0026)

Type: Privilege Escalation
Impact: Critical
Product: Zamfoo
Vulnerable Version: v11.7
Fixed Version: -
CVE: -
R911: 0026
Date: 2013-06-17

Product Description:

The ZamFoo software suite is a series of WHM plugin modules (also known as WHM addon modules) catered towards easing the burden of web hosting providers that sell shared hosting solutions using the Cpanel and WHM hosting platform. Hundreds of companies use our software to create Alpha WHM and create Master WHM hosting accounts.

Vulnerability Description:

Due to a series of ACL failures and failing to sanitize input, a malicious reseller can access the restore feature under Zamfoo and using a certain URL have the software execute commands as root.

Proof of Concept:

Another security researcher has already issued a working proof of concept, so we do not see the need to include one in this advisory.


We have deemed this vulnerability to be rated as CRITICAL due to the fact that a reseller user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against Zamfoo v11.7 and is believed to exist in all versions.

Fixed Version:

It took the developer two weeks to come up with a patch and we have determined that the patch does not work and that this flaw is still present in the software. Additionally, it has been brought to our attention that several more root level exploits are present in Zamfoo so we must urge everyone to uninstall this software:

cd /root
tar -xvf zamfoo_uninstaller.tar
chmod +x uninstall.cgi

Just to be sure:

rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo

Vendor Contact Timeline:

2013-05-31: Vendor contacted via email.
2013-06-03: Vendor contacted via email again.
2013-06-03: Vendor confirms vulnerability.
2013-06-13: Vendor contacted via email seeking update.
2013-06-13: Vendor states a patch is “to be” worked on,
2013-06-13: Rack911 issues warning to disable software.
2013-06-13: Vendor threatens to sue.
2013-06-15: Vendor issues patch two weeks from initial contact.
2013-06-15: Rack911 defeats patch within 5 minutes.
2013-06-17: Rack911 issues a general security advisory.