lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 1 Apr 2005 08:44:22 +1000
From: Beau Henderson <silentbob@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: cPanel/WHM demo account problems


Next time, try submitting to security@...nel.net or any of the contact
addresses ( even phone ) on the web site.. there are by the way, other
contact details on the web site, next time, at least look.

( I've passed this along to the above email address, incase you have
issues doing so yourself ).

On Wed, 30 Mar 2005 23:33:30 +0100, Richard Stanway
<bugtraq@...ur1ty.net> wrote:
> Background
> ----------
> cPanel & WebHost Manager (WHM) is a next generation web hosting control
> panel system. Both cPanel & WHM are extremely feature rich as well as
> include an easy to use web based interface (GUI). The cPanel demo account
> feature creates a restricted username/password to the cPanel web interface
> which the reseller often then provides on their web site, inviting potential
> customers to try out the cPanel interface. Most of the cPanel interface is
> disabled in the demo mode to prevent anonymous users from uploading
> potentially dangerous content or otherwise causing a problem.
> 
> Problem
> -------
> Since the cPanel demo user is created a real local user, shell access
> through SSH is possible. The demo account however is restricted by using a
> shell that displays a message indicating that the SSH is disabled and not
> allowing any commands to be used. It is possible to set up SSH port
> forwarding and login without invoking the shell, essentially giving
> anonymous users the ability to harness the server for proxying to local and
> remote destinations, bypassing IP based authentication to localhost (some
> SMTP servers regard 127.0.0.1 as authenticated for example) and other likely
> malicious actions.
> 
> It is very likely the same problem also applies to local users who have not
> been granted explicit shell access, although the impact is slightly lessened
> as one might expect local users are not out to abuse their own shared web
> hosting server.
> 
> Exploit
> -------
> Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to
> it using the provided username and password and set up some port forwarding.
> 
> Solution
> --------
> Turn off the demo account feature and delete any demo accounts. As an
> additional measure, turn off SSH port forwarding or specify explicitly which
> users are allowed SSH access in the sshd config, do not rely on a restricted
> shell to prevent users from being able to use other SSH features. I'd never
> recommend anyone use the cPanel/WHM demo account feature at all, they are
> both very risky. Even the WHM demo hosted on cPanel's own server allowed
> remote root at one point in time.
> 
> A note to vendors: please make it easy to report bugs. cPanel had a nice
> anonymous bug reporting form and status checking system last time I reported
> a bug, now it is replaced with BugZilla which requires spending time
> registering which personally I'm not going to be bothered with for reporting
> one bug.
> 
> Richard Stanway
> http://www.r1ch.net/
> 
> Technical articles: http://shsc.info/
> 
> 


-- 
Beau Henderson
http://www.ImInteractive.com


Powered by blists - more mailing lists