[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040524030842.21355.qmail@www.securityfocus.com>
Date: 24 May 2004 03:08:42 -0000
From: Rob Brown <rob@...uad.com>
To: bugtraq@...urityfocus.com
Subject: cPanel mod_phpsuexec Vulnerability
Severity: High, Arbitrary Execution, Local Privilege Escalation
Background:
cPanel is a common web hosting management system written by cpanel.net installed on UNIX Operation Systems to help manage web, email, ftp, databases, and other administrative tasks.
Problem Description:
The options used by cPanel software to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are flawed and allow any local user to execute arbitrary code as any other user owning a web accessible php file.
Impact:
Fortunately, mod_phpsuexec is not enabled by default so the majority of systems using cPanel should not be vulnerable. But for those machines that are vulnerable, all users on the machine are in danger. Any local user can destroy files, deface web sites, or aquire full access to all databases used by anyone on the machine that owns a file ending in .php.
Proof of Concept:
This tester php script http://64.240.171.106/cpanel.php can be used to test your configuration to see if it is vulnerable. See http://www.a-squad.com/audit/ for more details. If left unmodified, this script will do no harm. It will just tell you if your system is safe or how to secure it if it is vulnerable.
How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME instead of the PATH_INFO if both environment settings exist. If it doesn't then the system is vulnerable because PATH_INFO can easily be spoofed on the browser.
Any user can change another user's password by temporarily tweaking the target user's .contactemail file just long enough to reset this user's password using the built-in cpanel reset method. To prevent this, disable the ability to reset passwords in the WHM.
Any user can obtain root access on the machine by manipulating one of the admin accounts' .bashrc file to alias "su" to "fakesu" or any trojan that logs keystrokes and obtain the root password next time this admin user logs in and tries to "su" to root. It's easy to find out admin users with "su" privileges by running "grep wheel /etc/group" or by running "last" to see which of these users logged in recently. Due to the severity of this vulnerability, the "fakesu" trojan code will not be provided, though it has been tested and is known to work. To prevent this, don't let anyone that can create a .php script be in the "wheel" group.
Solution:
Upgrade to Apache 1.3.31 or higher. Only systems running Apache 1.3.29 or older can be vulnerable. I already notified the cPanel authors of this vulnerability and it has been repaired. Only Apache configurations compiled before Apr 15, 2004 are vulnerable.
Let me know if you need any more details.
--Rob Brown
A-Squad.Com
Powered by blists - more mailing lists