cPanel mod_phpsuexec Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: cPanel mod_phpsuexec Vulnerability
From: Rob Brown <rob@xxxxxxxxxx>
Date: 24 May 2004 03:08:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Severity: High, Arbitrary Execution, Local Privilege Escalation

Background:
cPanel is a common web hosting management system written by cpanel.net 
installed on UNIX Operation Systems to help manage web, email, ftp, databases, 
and other administrative tasks.

Problem Description:
The options used by cPanel software to compile Apache 1.3.29 and PHP using the 
mod_phpsuexec option are flawed and allow any local user to execute arbitrary 
code as any other user owning a web accessible php file.

Impact:
Fortunately, mod_phpsuexec is not enabled by default so the majority of systems 
using cPanel should not be vulnerable.  But for those machines that are 
vulnerable, all users on the machine are in danger.  Any local user can destroy 
files, deface web sites, or aquire full access to all databases used by anyone 
on the machine that owns a file ending in .php.

Proof of Concept:
This tester php script http://64.240.171.106/cpanel.php can be used to test 
your configuration to see if it is vulnerable.  See 
http://www.a-squad.com/audit/ for more details.  If left unmodified, this 
script will do no harm.  It will just tell you if your system is safe or how to 
secure it if it is vulnerable.

How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME 
instead of the PATH_INFO if both environment settings exist.  If it doesn't 
then the system is vulnerable because PATH_INFO can easily be spoofed on the 
browser.

Any user can change another user's password by temporarily tweaking the target 
user's .contactemail file just long enough to reset this user's password using 
the built-in cpanel reset method.  To prevent this, disable the ability to 
reset passwords in the WHM.

Any user can obtain root access on the machine by manipulating one of the admin 
accounts' .bashrc file to alias "su" to "fakesu" or any trojan that logs 
keystrokes and obtain the root password next time this admin user logs in and 
tries to "su" to root.  It's easy to find out admin users with "su" privileges 
by running "grep wheel /etc/group" or by running "last" to see which of these 
users logged in recently.  Due to the severity of this vulnerability, the 
"fakesu" trojan code will not be provided, though it has been tested and is 
known to work.  To prevent this, don't let anyone that can create a .php script 
be in the "wheel" group.

Solution:
Upgrade to Apache 1.3.31 or higher.  Only systems running Apache 1.3.29 or 
older can be vulnerable.  I already notified the cPanel authors of this 
vulnerability and it has been repaired.  Only Apache configurations compiled 
before Apr 15, 2004 are vulnerable.

Let me know if you need any more details.

--Rob Brown
A-Squad.Com

Prev by Date: e107 web portal user.php XSS (Cross Site Scripting)
Next by Date: [SECURITY] [DSA 508-1] New xpcd packages fix buffer overflow
Previous by thread: e107 web portal user.php XSS (Cross Site Scripting)
Next by thread: [SECURITY] [DSA 508-1] New xpcd packages fix buffer overflow
Index(es):
- Date
- Thread