| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Mar 2005 23:33:30 +0100 From: "Richard Stanway" <bugtraq@...ur1ty.net> To: <bugtraq@...urityfocus.com> Subject: cPanel/WHM demo account problems Background ---------- cPanel & WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel & WHM are extremely feature rich as well as include an easy to use web based interface (GUI). The cPanel demo account feature creates a restricted username/password to the cPanel web interface which the reseller often then provides on their web site, inviting potential customers to try out the cPanel interface. Most of the cPanel interface is disabled in the demo mode to prevent anonymous users from uploading potentially dangerous content or otherwise causing a problem. Problem ------- Since the cPanel demo user is created a real local user, shell access through SSH is possible. The demo account however is restricted by using a shell that displays a message indicating that the SSH is disabled and not allowing any commands to be used. It is possible to set up SSH port forwarding and login without invoking the shell, essentially giving anonymous users the ability to harness the server for proxying to local and remote destinations, bypassing IP based authentication to localhost (some SMTP servers regard 127.0.0.1 as authenticated for example) and other likely malicious actions. It is very likely the same problem also applies to local users who have not been granted explicit shell access, although the impact is slightly lessened as one might expect local users are not out to abuse their own shared web hosting server. Exploit ------- Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to it using the provided username and password and set up some port forwarding. Solution -------- Turn off the demo account feature and delete any demo accounts. As an additional measure, turn off SSH port forwarding or specify explicitly which users are allowed SSH access in the sshd config, do not rely on a restricted shell to prevent users from being able to use other SSH features. I'd never recommend anyone use the cPanel/WHM demo account feature at all, they are both very risky. Even the WHM demo hosted on cPanel's own server allowed remote root at one point in time. A note to vendors: please make it easy to report bugs. cPanel had a nice anonymous bug reporting form and status checking system last time I reported a bug, now it is replaced with BugZilla which requires spending time registering which personally I'm not going to be bothered with for reporting one bug. Richard Stanway http://www.r1ch.net/ Technical articles: http://shsc.info/
Powered by blists - more mailing lists