hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : [FEATURED] cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...
Closed Thread

Forum Jump

cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...

Closed Thread Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 05-18-2013, 10:57 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,614
Exclamation

cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...


Quote:
Type: Content Disclosure (Root Access)
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.38.0.7 and earlier.
Fixed Version: -
CVE: -
Date: 2013-05-18
By: http://www.rack911.com
Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.

Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

Proof of Concept:

We have thought long and hard about this and initially were going to release the proof of concept with this advisory, but have decided to wait until Wednesday (May 22, 2013) to give cPanel time to fix this "minor" exploit as they call it.

However, regardless of whether or not they put out a fix by then, we will be moving forward with a step by step guide and a pre-packaged archive that will compromise a handful of root owned files. We're talking the encrypted shadow password file, but also the plain text root MySQL password and any private SSH keys being used.

If anyone is concerned about this, we suggest that you email cPanel's security team at security[at]cpanel.net to voice your concern that a fix be issued before Wednesday for this "minor" issue.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)

It's important to note that cPanel has deemed this vulnerability to be "minor" in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.

We cannot stress enough how inexcusable it is for cPanel to view this flaw as a "minor" vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We're trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.

Work Around:

Until cPanel issues a patch, we advise hosting providers to check their archives for symlinks and investigate accordingly:

tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html

Vulnerable Version:

This vulnerability was tested against cPanel (WHM) v11.38.0.7 and is believed to exist in all previous versions.


Last edited by BeZazz; 02-19-2014 at 12:06 PM.

Thread Summary
Thread Summary Information taken from http://www.webhostingtalk.com/showpo...&postcount=118

For anyone late to the party that can't be bothered to read through the entire thread, here are two posts that discuss detecting possible malicious symlinks in untrusted archives:

http://www.webhostingtalk.com/showpo...6&postcount=57
http://www.webhostingtalk.com/showpo...6&postcount=65

The first post is a manual check and the second one is a wrapper that can be added to cPanel to do it automatically. If anyone has any questions about these two methods, let us know and we'll do our best to help you out.

Contributors: BeZazz

Share This Summary:

Sponsored Links
  #2  
Old 05-18-2013, 11:17 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,927
How many of you restore backups every day without a second thought?
We get a good number of backup restoration requests from our customers with user supplied backups and the amount of checks we have to do is ridiculous because cPanel can't get their backup/restore system right.

Let me tell you about a plausible scenario:
Quote:
You are a webhost, you get a new sign up and this user has a handful of accounts on a dedicated server. You offer free migration. This user is malicious. With the usage of hooks a crafty attacker could dynamically add these symlinks into the backups so when you go to transfer the accounts they automatically get added and then you restore on your server without second guessing it. Later that day your server has been wiped clean and you don't know why..

Yes.. it CAN happen and you would be completely blind sided by it.
A few years ago I discovered a bug with cpanel backups which allowed a backup to be tampered to access other databases or remove the root account for mysql. I discovered this originally because I was doing a plesk to cpanel migration and upon moving an account the mysql root account disappeared completely. I took a further look at the issue and discovered I could make small modifications and grant users in one account access to other accounts. Upon contacting cPanel they stated that there was nothing that could be done about it. Surprise surprise - the issue is patched and they never let anyone know . I suspect this will probably occur a few months one day.

There is another panel vulnerable to a very similar exploit, and their response is the equivalent of 'oh ****!'. If only cPanel cared that much!
cPanel is the only vendor out of approx 10 vendors who we are working with currently on flaws that basically have pushed us away completely.

With that said, I know that me personally.. do not like the idea of sensitive data being able to be obtained through a users account. Any time sensitive data has the potential to be compromised it should be resolved. If it requires a rewrite of how you do things.. then do it. It is not the poor users of a software fault these issues exist, its the vendors fault and the users should not have to suffer.

Maybe I am going insane after 10+ years of this.. but I personally think that cPanel is the insane ones.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.


Last edited by Steven; 05-18-2013 at 11:22 PM.
  #3  
Old 05-19-2013, 11:30 AM
mrzippy mrzippy is offline
Mr. Awesome
 
Join Date: Jul 2002
Posts: 5,899
It's very simple.

They won't care until the problem results in lost revenue.

Are people going to cancel their licenses or *not* purchase a license because of their security policy?

__________________
Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
* We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!

Sponsored Links
  #4  
Old 05-19-2013, 12:16 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,927
Well the POC is coming out Wednesday as much as I don't want it to come out without them fixing it as the potential for bystanders to be harmed is great.

No one checks backups before they restore them.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #5  
Old 05-19-2013, 03:09 PM
evohost Canada evohost Canada is offline
WHT Addict
 
Join Date: Jun 2012
Location: SK, Canada
Posts: 164
This makes me glad I've never used cPanel over these years. I've always done things the manual way because I know that convenience usually trades off security.

I'm not a hoster, but if I was and I used cPanel I would be harrassing their phone/email support every hour until they issued a fix. If it wasn't fixed within a few days, I would migrate elsewhere.

  #6  
Old 05-19-2013, 03:35 PM
mrzippy mrzippy is offline
Mr. Awesome
 
Join Date: Jul 2002
Posts: 5,899
Quote:
Originally Posted by swiftnode View Post
If it wasn't fixed within a few days, I would migrate elsewhere.
Yes, I'm sure all our customers wouldn love if we switched them to a different control panel. They will surely enjoy spending time changing all their website scripts to deal with the different control panel's of file system paths, database names, email setup, etc.

If only it were so easy...

__________________
Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
* We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!

  #7  
Old 05-19-2013, 09:08 PM
FRH Lisa FRH Lisa is offline
Web Hosting Master
 
Join Date: Nov 2011
Location: Harrisburg, PA
Posts: 1,556
This is absurd. For cPanel to consider this "minor" is just ... words escape me. I can only guess that their reasoning has to do with the fact that the host first has to restore a backup. Perhaps their argument is that it would then be the host's fault.

If this report were coming from anyone else, I would have my doubts. However, Rack911 is a very well-respected management company and prone to neither hyperbole nor rash responses. As such, I invite cPanel to show up here and prove them wrong.

Better yet, please prove them wrong by pushing out a patch immediately.

__________________
Fresh Roasted Hosting :: Coffee-Lovin' Harrisburg Web Hosting
LiteSpeed :: CloudLinux :: SSD Databases :: Xen PV VPS :: Custom Dedicated Servers
Harrisburg PA :: Dallas TX :: Coming Soon to Phoenix AZ!


Last edited by FRH Lisa; 05-19-2013 at 09:18 PM.
  #8  
Old 05-19-2013, 09:38 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,927
Quote:
Originally Posted by FRH Lisa View Post
Perhaps their argument is that it would then be the host's fault.
Right, lets blame the host instead of fixing a flaw.
Like I said in my earlier post, another vendor has a similar problem.. and they are jumping at fixing it.

I don't think cpanel understands their target audience at all. Sad to say, a large number of cpanel users are completely illiterate to servers.

They have this warning on /scripts/restorepkg:

Quote:
Security Note: It is recommended that you do not restore a package from an untrusted source.
If you choose to ignore this warning, you should use --skipres to minimize the risk.
No where does it explain why. Plenty of people just ignore it and restore anyway -- I dare someone to prove me wrong on this.

Someone said in another thread that it seems like we are signaling out cpanel -- That is not the case. They are being irresponsible and we are trying to get them to change that.
I don't like my customers utilizing software with flaws. It goes against everything I believe in being an admin.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #9  
Old 05-19-2013, 10:43 PM
NetworkPanda NetworkPanda is offline
Premium Member
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 625
Thank you Patrick for your update and work around. Let's hope that a cPanel update will follow soon, to fix the problem and that they stop ignoring you.

By the way, if anyone wants to scan their hosted accounts for existing suspicious symlinks (possibly created using this or another cPanel vulnerability), they can run this command:

Code:
find /home*/ -type l -exec ls -l {} \; | grep -v 'www -> public_html' | grep -v '/mail/' | grep -v ' /usr/local/apache/domlogs' | grep -v '/cpeasyapache/' | grep -v '/virtfs/'
Symlinks found by this command should be inspected carefully.

__________________
Network Panda
Web Hosting: Instant activation, cPanel, Softaculous, FFMPEG. Fast servers in USA, Canada, Germany, Netherlands, France, Italy.
Reseller Hosting


Last edited by NetworkPanda; 05-19-2013 at 10:46 PM.
  #10  
Old 05-20-2013, 08:54 AM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,614
Quote:
Originally Posted by Steven View Post
They have this warning on /scripts/restorepkg:

Security Note: It is recommended that you do not restore a package from an untrusted source. If you choose to ignore this warning, you should use --skipres to minimize the risk.

No where does it explain why. Plenty of people just ignore it and restore anyway -- I dare someone to prove me wrong on this.
One thing worth noting, is that the warning is only when restoring via the command line. It does not give any such warning when you do it via WHM -- whether restoring a full backup archive on the same server or using the transfer account feature. Additionally, that -skipres message is TO SKIP RESELLER PRIVILEGES to prevent someone from making their reseller account root ... which is 100% unrelated to our flaw. Our flaw is for all users, normal users and reseller users.

This is all just so frustrating. The director of operations at cPanel requested a phone conference with us last week and we politely declined for reasons like this. It would turn into us yelling at them for not getting what we're trying to drive home in regards to the importance of proper disclosure when it comes to these types of flaws. I sent the director back a long email detailing what our issue is with cPanel and then the next day... we get this. They just don't get it... they don't get it!

  #11  
Old 05-20-2013, 08:59 AM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,614
Quote:
Originally Posted by NetworkPanda View Post
By the way, if anyone wants to scan their hosted accounts for existing suspicious symlinks (possibly created using this or another cPanel vulnerability), they can run this command:
Just a note, but that command will only work if the attacker is using the same cPanel server to package the malicious archives and leaves them behind.

Anyone can make the malicious archives on any server and once it's been restored by the admin that command will not work because cPanel immediately converts the symlinks to real files during the restore process. The only sure fire way for an admin to protect against this, short of not restoring any archives given to them which is cPanel's silly advice... is:

tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html

That will scan archive to be restored and report any symlinks, which there shouldn't be any in a normal archive. (As you mentioned though, any symlinks under their accounts should be checked anyway. Some people have not applied that symlink patch to cPanel for the other flaw that Steven reported on the other year.)

  #12  
Old 05-20-2013, 09:04 AM
MattF MattF is offline
Web Hosting Master
 
Join Date: Nov 2000
Location: UK
Posts: 3,139
Quote:
Originally Posted by mrzippy View Post
Yes, I'm sure all our customers wouldn love if we switched them to a different control panel. They will surely enjoy spending time changing all their website scripts to deal with the different control panel's of file system paths, database names, email setup, etc.

If only it were so easy...
Why would a control panel enforce file paths, database naming conventions and email routing... Surely that is configuration... oh wait. Peel it all back before considering where to rolleyes..

At least their is some consistency in expectation between cpanel and whmcs.. just need re-release the latest version without incrementing the version number to seal the professionalism..


Last edited by MattF; 05-20-2013 at 09:13 AM.
  #13  
Old 05-20-2013, 03:33 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,614
A direct competitor to cPanel suffers from a similar vulnerability and this was their response when I mentioned how cPanel labelled it minor:

Quote:
In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this.
I'd love to name the company but since they haven't issued a patch yet, I don't want to put their customers at risk. It is extremely refreshing though for a company to take security seriously. Pay attention cPanel, because that is how you handle security vulnerabilities!

  #14  
Old 05-21-2013, 04:16 PM
CodyRo CodyRo is offline
Web Hosting Master
 
Join Date: Feb 2006
Location: Buffalo NY
Posts: 1,237
We've been trying to work with cPanel on this as well. They have a glaring disregard for how important (or in their eyes - not important) the whole backup / restore system is to providers such as us.

https://forums.cpanel.net/f185/resto...es-347802.html

The answer from cPanel is this - don't transfer accounts from anyone but yourselves. Even then tread cautiously because we don't sanitize anything.

What a joke.

__________________
Cody R. - Chief Technical Officer
Quality Shared and VPS Hosting
Hawk Host Inc. Proudly serving websites since 2004
PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!

  #15  
Old 05-21-2013, 04:18 PM
CitizenKepler CitizenKepler is offline
New Member
 
Join Date: May 2013
Posts: 1
Looks like cPanel is addressing this issue. Quote from the cPanel forums:

Quote:
Weve been getting some interesting and valuable feedback from the cPanel Community recently concerning the security model used by the transfer and backup restore system. Wed like to address these concerns here and provide the Community with some clarity on this topic, directly from cPanel.

First, we want to highlight again, the risk of restoring account backup packages from untrusted or unknown sources. We need to ensure that everyone has the opportunity to be conscious of the security concerns associated with this process.

The account backup package system (pkgacct) is designed to transfer an account between machines inside your ecosystem. This system's primary goal is to prefer replication integrity in order to simplify the process of migrating your accounts between your servers.

In order to achieve this goal it must copy the entire account, along with its configuration, privileges, customizations, files, and permissions that the account has been granted.
The system is not designed to handle untrusted data. There are a myriad of ways a malicious user can alter an account backup package to escalate privileges, or add additional privileges to an account backup package.
We strongly recommend that you do not restore data from untrusted sources. It is for this reason that the restore system has always been limited to the root user.


It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned. In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages.

We understand the value that this workflow offers, and we want to offer a way to accomplish restoring account backup packages from untrusted sources in a more secure manner. The security and integrity of your system is very important to us.

Your feedback, along with the consideration of the desired workflow, has prompted us to reevaluate our current system and develop a new goal of delivering a more robust solution.

We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system.
We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added.


For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.
~ forums.cpanel.net/f185/restoring-account-backup-packages-unknown-untrusted-sources-347802.html#post1394992

Closed Thread

Similar Threads
Thread Thread Starter Forum Replies Last Post
Whats needed for website+minor file server? fdmu876 Web Hosting 8 04-30-2012 01:50 AM
php server side include exploit --please read-- jessex Programming Discussion 29 11-29-2011 01:39 PM
Websites don't work; Issue with failed: Read-only file system Urosino Hosting Security and Technology 19 08-31-2010 05:25 AM
Cpanel root exploit not really patched. READ BrentOfHG Web Hosting 92 09-25-2006 10:56 PM
Anyone know what this remote root exploit does? pmak0 Hosting Security and Technology 5 05-18-2005 10:46 PM

Related posts from TheWhir.com
Title Type Date Posted
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
cPanel Addresses User Concerns of Transfer and Backup Restore System Security Web Hosting News 2013-05-24 10:13:44
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08
cPanel Conference 2012: Branding and How to Do it Better with Felipe Gasper Web Hosting News 2012-10-09 18:00:02
CloudLinux Improves Virtualized File System for Shared Web Hosts Web Hosting News 2012-05-30 15:17:05


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?