[UNIX] cPanel mod_phpsuexec Vulnerability

• Previous message: SecuriTeam: "[TOOL] cPanel Multiple Vulnerabilities Testing Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 May 2004 20:12:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  cPanel mod_phpsuexec Vulnerability
------------------------------------------------------------------------

SUMMARY

 
<http://www.cpanel.net/realindex.html?from=http://www.cpanel.net/docs.htm>
cPanel is "a common web hosting management system written by cpanel.net
installed on UNIX Operation Systems to help manage web, email, ftp,
databases, and other administrative tasks". The options used by cPanel
software to compile Apache 1.3.29 and PHP using the mod_phpsuexec option
are flawed and allow any local user to execute arbitrary code as any other
user owning a web accessible PHP file.

DETAILS

Impact:
Fortunately, mod_phpsuexec is not enabled by default so the majority of
systems using cPanel should not be vulnerable. But for those machines that
are vulnerable, all users on the machine are in danger. Any local user can
destroy files, deface web sites, or acquire full access to all databases
used by anyone on the machine that owns a file ending in .php.

Proof of Concept:
This tester PHP script <http://64.240.171.106/cpanel.php>
http://64.240.171.106/cpanel.php can be used to test your configuration to
see if it is vulnerable. See <http://www.a-squad.com/audit/>
http://www.a-squad.com/audit/ for more details. If left unmodified, this
script will do no harm. It will just tell you if your system is safe or
how to secure it if it is vulnerable.

How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME
instead of the PATH_INFO if both environment settings exist. If it doesn't
then the system is vulnerable because PATH_INFO can easily be spoofed on
the browser.

Any user can change another user's password by temporarily tweaking the
target user's .contactemail file just long enough to reset this user's
password using the built-in cPanel reset method. To prevent this, disable
the ability to reset passwords in the WHM.

Any user can obtain root access on the machine by manipulating one of the
admin accounts' .bashrc file to alias "su" to "fakesu" or any Trojan that
logs keystrokes and obtain the root password next time this admin user
logs in and tries to "su" to root. It's easy to find out admin users with
"su" privileges by running "grep wheel /etc/group" or by running "last" to
see which of these users logged in recently. Due to the severity of this
vulnerability, the "fakesu" trojan code will not be provided, though it
has been tested and is known to work. To prevent this, don't let anyone
that can create a .php script be in the "wheel" group.

Solution:
Upgrade to Apache 1.3.31 or higher. Only systems running Apache 1.3.29 or
older can be vulnerable. I already notified the cPanel authors of this
vulnerability and it has been repaired. Only Apache configurations
compiled before Apr 15, 2004 are vulnerable.

ADDITIONAL INFORMATION

The information has been provided by <mailto:rob@asquad.com> Rob Brown.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] cPanel Multiple Vulnerabilities Testing Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]