Results 1 to 25 of 145
-
05-18-2013, 10:57 PM #1Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...
Type: Content Disclosure (Root Access)
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.38.0.7 and earlier.
Fixed Version: -
CVE: -
Date: 2013-05-18
By: http://www.rack911.com
cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.
Vulnerability Description:
There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.
Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.
Proof of Concept:
We have thought long and hard about this and initially were going to release the proof of concept with this advisory, but have decided to wait until Wednesday (May 22, 2013) to give cPanel time to fix this "minor" exploit as they call it.
However, regardless of whether or not they put out a fix by then, we will be moving forward with a step by step guide and a pre-packaged archive that will compromise a handful of root owned files. We're talking the encrypted shadow password file, but also the plain text root MySQL password and any private SSH keys being used.
If anyone is concerned about this, we suggest that you email cPanel's security team at security[at]cpanel.net to voice your concern that a fix be issued before Wednesday for this "minor" issue.
Impact:
We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)
It's important to note that cPanel has deemed this vulnerability to be "minor" in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.
We cannot stress enough how inexcusable it is for cPanel to view this flaw as a "minor" vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We're trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.
Work Around:
Until cPanel issues a patch, we advise hosting providers to check their archives for symlinks and investigate accordingly:
tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html
Vulnerable Version:
This vulnerability was tested against cPanel (WHM) v11.38.0.7 and is believed to exist in all previous versions.Last edited by BeZazz; 02-19-2014 at 12:06 PM.
2
-
05-18-2013, 11:17 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
How many of you restore backups every day without a second thought?
We get a good number of backup restoration requests from our customers with user supplied backups and the amount of checks we have to do is ridiculous because cPanel can't get their backup/restore system right.
Let me tell you about a plausible scenario:
You are a webhost, you get a new sign up and this user has a handful of accounts on a dedicated server. You offer free migration. This user is malicious. With the usage of hooks a crafty attacker could dynamically add these symlinks into the backups so when you go to transfer the accounts they automatically get added and then you restore on your server without second guessing it. Later that day your server has been wiped clean and you don't know why..
Yes.. it CAN happen and you would be completely blind sided by it.
There is another panel vulnerable to a very similar exploit, and their response is the equivalent of 'oh ****!'. If only cPanel cared that much!
cPanel is the only vendor out of approx 10 vendors who we are working with currently on flaws that basically have pushed us away completely.
With that said, I know that me personally.. do not like the idea of sensitive data being able to be obtained through a users account. Any time sensitive data has the potential to be compromised it should be resolved. If it requires a rewrite of how you do things.. then do it. It is not the poor users of a software fault these issues exist, its the vendors fault and the users should not have to suffer.
Maybe I am going insane after 10+ years of this.. but I personally think that cPanel is the insane ones.Last edited by Steven; 05-18-2013 at 11:22 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-19-2013, 11:30 AM #3Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
It's very simple.
They won't care until the problem results in lost revenue.
Are people going to cancel their licenses or *not* purchase a license because of their security policy?We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!0
-
05-19-2013, 12:16 PM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Well the POC is coming out Wednesday as much as I don't want it to come out without them fixing it as the potential for bystanders to be harmed is great.
No one checks backups before they restore them.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-19-2013, 03:09 PM #5Web Hosting Evangelist
- Join Date
- Jun 2012
- Location
- Saskatchewan, Canada
- Posts
- 478
This makes me glad I've never used cPanel over these years. I've always done things the manual way because I know that convenience usually trades off security.
I'm not a hoster, but if I was and I used cPanel I would be harrassing their phone/email support every hour until they issued a fix. If it wasn't fixed within a few days, I would migrate elsewhere.0
-
05-19-2013, 03:35 PM #6Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
Yes, I'm sure all our customers wouldn love if we switched them to a different control panel. They will surely enjoy spending time changing all their website scripts to deal with the different control panel's of file system paths, database names, email setup, etc.
If only it were so easy...We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!0
-
05-19-2013, 09:08 PM #7Web Hosting Master
- Join Date
- Nov 2011
- Location
- Harrisburg, PA
- Posts
- 2,074
This is absurd. For cPanel to consider this "minor" is just ... words escape me. I can only guess that their reasoning has to do with the fact that the host first has to restore a backup. Perhaps their argument is that it would then be the host's fault.
If this report were coming from anyone else, I would have my doubts. However, Rack911 is a very well-respected management company and prone to neither hyperbole nor rash responses. As such, I invite cPanel to show up here and prove them wrong.
Better yet, please prove them wrong by pushing out a patch immediately.Last edited by FRH Lisa; 05-19-2013 at 09:18 PM.
▐█▌Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
▐█▌"The only thing better than the world's best customer service is never needing them in the first place."
▐█▌Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates0
-
05-19-2013, 09:38 PM #8Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Right, lets blame the host instead of fixing a flaw.
Like I said in my earlier post, another vendor has a similar problem.. and they are jumping at fixing it.
I don't think cpanel understands their target audience at all. Sad to say, a large number of cpanel users are completely illiterate to servers.
They have this warning on /scripts/restorepkg:
Security Note: It is recommended that you do not restore a package from an untrusted source.
If you choose to ignore this warning, you should use --skipres to minimize the risk.
Someone said in another thread that it seems like we are signaling out cpanel -- That is not the case. They are being irresponsible and we are trying to get them to change that.
I don't like my customers utilizing software with flaws. It goes against everything I believe in being an admin.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-19-2013, 10:43 PM #9Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Thank you Patrick for your update and work around. Let's hope that a cPanel update will follow soon, to fix the problem and that they stop ignoring you.
By the way, if anyone wants to scan their hosted accounts for existing suspicious symlinks (possibly created using this or another cPanel vulnerability), they can run this command:
Code:find /home*/ -type l -exec ls -l {} \; | grep -v 'www -> public_html' | grep -v '/mail/' | grep -v ' /usr/local/apache/domlogs' | grep -v '/cpeasyapache/' | grep -v '/virtfs/'
Last edited by NetworkPanda; 05-19-2013 at 10:46 PM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland1
-
05-20-2013, 08:54 AM #10Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
One thing worth noting, is that the warning is only when restoring via the command line. It does not give any such warning when you do it via WHM -- whether restoring a full backup archive on the same server or using the transfer account feature. Additionally, that -skipres message is TO SKIP RESELLER PRIVILEGES to prevent someone from making their reseller account root ... which is 100% unrelated to our flaw. Our flaw is for all users, normal users and reseller users.
This is all just so frustrating. The director of operations at cPanel requested a phone conference with us last week and we politely declined for reasons like this. It would turn into us yelling at them for not getting what we're trying to drive home in regards to the importance of proper disclosure when it comes to these types of flaws. I sent the director back a long email detailing what our issue is with cPanel and then the next day... we get this. They just don't get it... they don't get it!0
-
05-20-2013, 08:59 AM #11Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Just a note, but that command will only work if the attacker is using the same cPanel server to package the malicious archives and leaves them behind.
Anyone can make the malicious archives on any server and once it's been restored by the admin that command will not work because cPanel immediately converts the symlinks to real files during the restore process. The only sure fire way for an admin to protect against this, short of not restoring any archives given to them which is cPanel's silly advice... is:
tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html
That will scan archive to be restored and report any symlinks, which there shouldn't be any in a normal archive. (As you mentioned though, any symlinks under their accounts should be checked anyway. Some people have not applied that symlink patch to cPanel for the other flaw that Steven reported on the other year.)0
-
05-20-2013, 09:04 AM #12Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
Why would a control panel enforce file paths, database naming conventions and email routing... Surely that is configuration... oh wait. Peel it all back before considering where to rolleyes..
At least their is some consistency in expectation between cpanel and whmcs.. just need re-release the latest version without incrementing the version number to seal the professionalism..Last edited by MattF; 05-20-2013 at 09:13 AM.
0
-
05-20-2013, 03:33 PM #13Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
A direct competitor to cPanel suffers from a similar vulnerability and this was their response when I mentioned how cPanel labelled it minor:
In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this.0
-
05-21-2013, 04:16 PM #14Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
We've been trying to work with cPanel on this as well. They have a glaring disregard for how important (or in their eyes - not important) the whole backup / restore system is to providers such as us.
https://forums.cpanel.net/f185/resto...es-347802.html
The answer from cPanel is this - don't transfer accounts from anyone but yourselves. Even then tread cautiously because we don't sanitize anything.
What a joke.█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor0
-
05-21-2013, 04:18 PM #15New Member
- Join Date
- May 2013
- Posts
- 1
Looks like cPanel is addressing this issue. Quote from the cPanel forums:
We’ve been getting some interesting and valuable feedback from the cPanel Community recently concerning the security model used by the transfer and backup restore system. We’d like to address these concerns here and provide the Community with some clarity on this topic, directly from cPanel.
First, we want to highlight again, the risk of restoring account backup packages from untrusted or unknown sources. We need to ensure that everyone has the opportunity to be conscious of the security concerns associated with this process.
The account backup package system (pkgacct) is designed to transfer an account between machines inside your ecosystem. This system's primary goal is to prefer replication integrity in order to simplify the process of migrating your accounts between your servers.
In order to achieve this goal it must copy the entire account, along with its configuration, privileges, customizations, files, and permissions that the account has been granted.
The system is not designed to handle untrusted data. There are a myriad of ways a malicious user can alter an account backup package to escalate privileges, or add additional privileges to an account backup package.
We strongly recommend that you do not restore data from untrusted sources. It is for this reason that the restore system has always been limited to the root user.
It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned. In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages.
We understand the value that this workflow offers, and we want to offer a way to accomplish restoring account backup packages from untrusted sources in a more secure manner. The security and integrity of your system is very important to us.
Your feedback, along with the consideration of the desired workflow, has prompted us to reevaluate our current system and develop a new goal of delivering a more robust solution.
We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system.
We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added.
For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.0
-
05-21-2013, 04:28 PM #16Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor0
-
05-21-2013, 04:37 PM #17Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Heh. I don't even know what to say any more... the notion that providers shouldn't restore "untrusted" backups is crazy. Think of all the reseller providers out there, how many they have to restore every single day!
It's worth noting that there are two other panels vulnerable to similar flaws and both are treating this as a high priority thing... one even said in relation to cPanel and I quote:
"In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this."0
-
05-21-2013, 04:38 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-21-2013, 04:41 PM #19Newbie
- Join Date
- Oct 2008
- Location
- Texas
- Posts
- 10
0
-
05-21-2013, 04:45 PM #20Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
This high priority project has been brought to their attention for several years. They've only made it high priority since it's been made public. Where is the line drawn?
It's been known for years the whole system was flawed. Ask anyone who has been in the industry for awhile. cPanel isn't ignorant to this.█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor0
-
05-21-2013, 04:47 PM #21Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
... now if only they would rewrite WHM to address our other (bigger) security concerns.
0
-
05-21-2013, 04:50 PM #22Newbie
- Join Date
- Oct 2008
- Location
- Texas
- Posts
- 10
I think my point is still valid. It seems a little disingenuous to gloss over relevant parts of the cPanel post. Anyway - I'm curious.. now that cPanel has responded and Patrick is aware they're working on an alternative transfer/restore system - will he release his PoC anyway, since he says his goal was to elicit action by non-responsive vendors?
Last edited by Alfalfa_Head; 05-21-2013 at 05:02 PM.
0
-
05-21-2013, 05:08 PM #23Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
I think the timeline is key in this instance - I'm not glossing over anything. cPanel glossed over the fact that they had glaring issues in their system. They were made aware of it several times. They simply shrugged it off until Rack911 and crew publicly posted this and now they have to publicly address it.
Seems terribly irresponsible that they're only now acknowledging it while underplaying the significance of the issue.
Any provider can tell you that this system is crucial to their business. I'm happy they're addressing it. I'm unhappy that it took so long and that they're underplaying it. Also from previous experience knowing how long this will likely take to resolve is quite annoying / frustrating as a cPanel based host.
I'm calling a spade a spade.
**EDIT** You have appeared to edit your post.
I sure hope so. I don't commend a vendor for not acting on something until it's made public and they're held to the fire. Responsible disclosure has been done in this case. It was disregarded. Only at the threat of public / full disclosure did this gain traction. That's a terrible precedent to set for any vendor.Last edited by CodyRo; 05-21-2013 at 05:11 PM.
█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor0
-
05-21-2013, 05:27 PM #24Web Hosting Evangelist
- Join Date
- Apr 2012
- Location
- Toronto, Canada
- Posts
- 501
This is the second vulnerbility cPanel has blown off as a "meh" in the last what... 2 weeks? Guys over at WHMCS working the support desk at cPanel or what?
At least the customers can't restore themselves, that's the first positive i see for now. In my 17 years, i've never gone over a backup archive for it's contents. Naive? I don't know, but i had no reason to and cPanel should be addressing this and not labeling it 'minor'. What a joke0
-
05-21-2013, 05:40 PM #25Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
What makes me laugh is this part of the cpanel response:
It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned.
Seriously?
Is cpanel serious admitting that they have their own heads stuck so far up their own arses that they didn't think the account transfer utility would be used by end-users wanting to switch from one cpanel provider to another?
Yes, their response is nothing more than an attempt at bad PR mitigation.
Steven and Patrick called them out publicly, so they have no choice but to respond publicly. They are trying to minimize their arrogance by what... making us believe they are even stupider than we thought?
Amazing.We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!0
Similar Threads
-
Whats needed for website+minor file server?
By fdmu876 in forum Web HostingReplies: 8Last Post: 04-30-2012, 01:50 AM -
php server side include exploit --please read--
By jessex in forum Programming DiscussionReplies: 29Last Post: 11-29-2011, 01:39 PM -
Websites don't work; Issue with failed: Read-only file system
By Urosino in forum Hosting Security and TechnologyReplies: 19Last Post: 08-31-2010, 05:25 AM -
Cpanel root exploit not really patched. READ
By BrentOfHG in forum Web HostingReplies: 92Last Post: 09-25-2006, 10:56 PM -
Anyone know what this remote root exploit does?
By pmak0 in forum Hosting Security and TechnologyReplies: 5Last Post: 05-18-2005, 10:46 PM