hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Cpanel Mod_phpsuexec Vulnerability
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
May 24 2004, 06:02 PM
QUOTE


Severity: High, Arbitrary Execution, Local Privilege Escalation

Background:

cPanel is a common web hosting management system written by cpanel.net installed on UNIX
Operation Systems to help manage web, email, ftp, databases, and other administrative
tasks.

Problem Description:

The options used by cPanel software to compile Apache 1.3.29 and PHP using the
mod_phpsuexec option are flawed and allow any local user to execute arbitrary code as any
other user owning a web accessible php file.

Impact:

Fortunately, mod_phpsuexec is not enabled by default so the majority of systems using
cPanel should not be vulnerable.  But for those machines that are vulnerable, all users on
the machine are in danger.  Any local user can destroy files, deface web sites, or aquire
full access to all databases used by anyone on the machine that owns a file ending in
.php.

Proof of Concept:

This tester php script http://64.240.171.106/cpanel.php can be used to test your
configuration to see if it is vulnerable.  See http://www.a-squad..com/audit/ for more
details.  If left unmodified, this script will do no harm.  It will just tell you if your
system is safe or how to secure it if it is vulnerable.

How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME instead of the
PATH_INFO if both environment settings exist.  If it doesn't then the system is
vulnerable because PATH_INFO can easily be spoofed on the browser.

Any user can change another user's password by temporarily tweaking the target
user's .contactemail file just long enough to reset this user's password using
the built-in cpanel reset method.  To prevent this, disable the ability to reset passwords
in the WHM.

Any user can obtain root access on the machine by manipulating one of the admin
accounts' .bashrc file to alias "su" to "fakesu" or any trojan
that logs keystrokes and obtain the root password next time this admin user logs in and
tries to "su" to root.  It's easy to find out admin users with
"su" privileges by running "grep wheel /etc/group" or by running
"last" to see which of these users logged in recently.  Due to the severity of
this vulnerability, the "fakesu" trojan code will not be provided, though it has
been tested and is known to work.  To prevent this, don't let anyone that can create
a .php script be in the "wheel" group.


Solution:

Upgrade to Apache 1.3.31 or higher.  Only systems running Apache 1.3.29 or older can be
vulnerable.  I already notified the cPanel authors of this vulnerability and it has been
repaired.  Only Apache configurations compiled before Apr 15, 2004 are vulnerable.


Let me know if you need any more details.

--Rob Brown

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.