what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cpanelApache.txt

cpanelApache.txt
Posted May 25, 2004
Authored by Rob Brown

The options used by cPanel software to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are flawed and allow any local user to execute arbitrary code as any other user owning a web accessible php file.

tags | advisory, web, arbitrary, local, php
SHA-256 | 958b7c3d603a8a91d715903c8001ca9e73ed468d5964833442f8c7b9303ec0a8

cpanelApache.txt

Change Mirror Download


Severity: High, Arbitrary Execution, Local Privilege Escalation

Background:
cPanel is a common web hosting management system written by cpanel.net installed on UNIX Operation Systems to help manage web, email, ftp, databases, and other administrative tasks.

Problem Description:
The options used by cPanel software to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are flawed and allow any local user to execute arbitrary code as any other user owning a web accessible php file.

Impact:
Fortunately, mod_phpsuexec is not enabled by default so the majority of systems using cPanel should not be vulnerable. But for those machines that are vulnerable, all users on the machine are in danger. Any local user can destroy files, deface web sites, or aquire full access to all databases used by anyone on the machine that owns a file ending in .php.

Proof of Concept:
This tester php script http://64.240.171.106/cpanel.php can be used to test your configuration to see if it is vulnerable. See http://www.a-squad.com/audit/ for more details. If left unmodified, this script will do no harm. It will just tell you if your system is safe or how to secure it if it is vulnerable.

How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME instead of the PATH_INFO if both environment settings exist. If it doesn't then the system is vulnerable because PATH_INFO can easily be spoofed on the browser.

Any user can change another user's password by temporarily tweaking the target user's .contactemail file just long enough to reset this user's password using the built-in cpanel reset method. To prevent this, disable the ability to reset passwords in the WHM.

Any user can obtain root access on the machine by manipulating one of the admin accounts' .bashrc file to alias "su" to "fakesu" or any trojan that logs keystrokes and obtain the root password next time this admin user logs in and tries to "su" to root. It's easy to find out admin users with "su" privileges by running "grep wheel /etc/group" or by running "last" to see which of these users logged in recently. Due to the severity of this vulnerability, the "fakesu" trojan code will not be provided, though it has been tested and is known to work. To prevent this, don't let anyone that can create a .php script be in the "wheel" group.

Solution:
Upgrade to Apache 1.3.31 or higher. Only systems running Apache 1.3.29 or older can be vulnerable. I already notified the cPanel authors of this vulnerability and it has been repaired. Only Apache configurations compiled before Apr 15, 2004 are vulnerable.

Let me know if you need any more details.

--Rob Brown
A-Squad.Com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close