[VulnWatch] Cpanel 5 and below remote command execution and local root vulnerabilities

From: pokleyzz (pokleyzz@scan-associates.net)
Date: 02/19/03

  • Next message: Grégory Le Bras | Security Corporation: "[VulnWatch] [SCSA-005] Proxomitron Naoko Long Path Buffer Overflow/DoS"
    Date: Wed, 19 Feb 2003 12:47:54 +0800
    From: pokleyzz <pokleyzz@scan-associates.net>
    To: bugtraq@securityfocus.org, vulnwatch@vulnwatch.org, Shaharil Abdul Malek <shaharil@surat.scan-associates.net>, sk <sk@scan-associates.net>, pokleyzz@scan-associates.net
    
    

    Products: Cpanel 5 and below (http://www.cpanel.net)
    Date: 19th February 2003
    Author: pokleyzz <pokleyzz_at_scan-associates.net>
    Contributors: sk <sk_at_scan-associates.net>
                  shaharil <shaharil_at_scan-associates.net>

    Special thanks: Skywizard <skywizard_at_mybsd.org.my>

    Description
    ===========
    Cpanel is web hosting control panel which allow client manage their web account through
    web interface. Most of the application are written in perl and compiled to binary.

    Details
    =======
    There is multiple vurnerabilities in this package as describe below.

    1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)

    There is classic perl open function vulnerability in template variable which allow any
    user to read any file or run command as valid system user which assign to specific url
    in apache configuration.

    proof of concept:
        http://[your site.com]/cgi-sys/guestbook.cgi?user=cpanel&template=|[command]|

    2) Local privileges escalation (root)

    Cpanel come with openwebmail packages as one of web base email reader which suid root.
    In the system with suid perl install perfectly (with suid mode turn on) local user may
    include their own perl script when running openwebmail script (oom) through suidperl.

    Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
    then include some file when execute.

    /usr/local/cpanel/base/openwebmail/oom line 14

    if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
    if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
    push (@INC, $SCRIPT_DIR, ".");
    .
    .
    .
    require "openwebmail-shared.pl";

    proof of concept:
            i) Create file openwebmail-shared.pl contain perl script you want to execute.
            ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.
            iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )

    Vendor status
    =============
    14th February 2003 - Vendor informed but we received no reply
    16th February 2003 - While checking Changelog of the Cpanel, there is a security bug fix in guestbook.cgi for
                            Cpanel 6. We believe this is the fix for above bug.

    Quick Solution
    ==============
    i) Remove /usr/local/cpanel/cgi-sys/guestbook.cgi.
    ii) Turn off suid mode in oom script (chmod 755 /usr/local/cpanel/base/openwebmail/oom).

     
                    

     

     



    Relevant Pages

    • Cpanel 5 and below remote command execution and local root vulnerabilities
      ... Cpanel is web hosting control panel which allow client manage their web account through ... Most of the application are written in perl and compiled to binary. ... Cpanel come with openwebmail packages as one of web base email reader which suid root. ...
      (Bugtraq)
    • Re: Shell script permissions
      ... My version of Debian is old stable, my version of perl is < 5.12. ... I was aware that when I upgrade to "stable" my SUID perl scripts ... and its configuration - IOW the attack surface is relatively small. ...
      (uk.comp.os.linux)
    • Re: Updated perl-suidperl-5.8.0-88.3 breaks spam assassin?
      ... >> updates they broke Openwebmail. ... >> After reverting back to the older perl RPM's, ... Try the new Yahoo! ...
      (RedHat)
    • Perl and OpenWebMail question...
      ... I've been using OpenWebMail with Perl 5.8.0 for some time now. ... using port upgrade, and now my Perl version is 5.8.1. ... Outgoing mail is certified Virus Free. ...
      (freebsd-questions)
    • Re: Shell script permissions
      ... What version of Perl do you have? ... My version of Debian is old stable, my version of perl is < 5.12. ... I was aware that when I upgrade to "stable" my SUID perl scripts ...
      (uk.comp.os.linux)