Results 1 to 11 of 11
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    Admin-Ahead Add-On Domain to Main Account Converter Privilege Escalation (R911-0086)

    Type: Privilege Escalation
    Location: Local
    Impact: Critical
    Product: Admin-Ahead Add-On Domain to Main Account Converter
    Website: http://admin-ahead.com/add-domain-ma...el-whm-plugin/
    Vulnerable Version: 1.0.0
    Fixed Version: 1.0.1
    CVE: -
    R911: 0086
    Date: 2013-11-18
    By: Rack911
    Product Description:

    Another feature to add to your cPanel WHM from the Admin-Ahead Team, the Add-On Domain to Main Account Converter cPanel WHM Plugin. Add this Plugin and click to convert an add-on domain to a main domain in seconds.

    Vulnerability Description:

    There is a privilege escalation vulnerability that would allow an attacker to obtain root access and/or take control of any file on the server.

    Impact:

    We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

    Vulnerable Version:

    This vulnerability was tested against Admin-Ahead Add-On Domain to Main Account Converter v1.0.0 and is believed to exist in all prior versions.

    Fixed Version:

    This vulnerability was patched in Admin-Ahead Add-On Domain to Main Account Converter v1.0.1.

    Vendor Contact Timeline:

    2013-11-17: Vendor contacted via email.
    2013-11-17: Vendor confirms vulnerability.
    2013-11-18: Vendor issues 1.0.1 update.
    2013-11-18: Rack911 issues security advisory.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  2. #2
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Seems you guys were quite busy this weekend.

    I think this is one of the more disturbing plugins I've come across. I shuddered, read the description, and reread the two vuln fixes. Are some of these really just a few days old? Or do those timestamps reflect released updates? First I'd heard about this one. Then again I've never permitted addon domains on my cPanel environments ....but if they're falling behind already I'd be cautious of practically everything else. Kudos to them for at least acting quickly on it I suppose.

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by jfnllc View Post
    Seems you guys were quite busy this weekend.
    Sadly it was more like 45 minutes.

    I think this is one of the more disturbing plugins I've come across. I shuddered, read the description, and reread the two vuln fixes. Are some of these really just a few days old? Or do those timestamps reflect released updates? First I'd heard about this one. Then again I've never permitted addon domains on my cPanel environments ....but if they're falling behind already I'd be cautious of practically everything else. Kudos to them for at least acting quickly on it I suppose.
    They are fairly new plugins. It seems like they were cobbled together and pushed out.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Jeez, 45 minutes has got to fall into some sort of record.

    See, that frustrates me even further and is one of the reasons I'm not taking on new shared orders now, and just supporting the existing clients. First of all I'm too busy with virtuals and management. Not only is it that I'm busy, but I know and trust every single shared client and I'm not going to risk that for five extra bucks -- seems like so much of this industry has been lost in a sea of automation, resellers, plugins, cpAddons, and everything else that's been hastily stuffed into cPanel the past couple of years. Just about every plugin/addon is, like you said, tossed out to users without any real Q.A. testing and verification. By the time they've patched a privilege escalation and sent it out, they're discovering that the patch created a spinoff path traversal vulnerability to a sensitive directory...or something like that.

    Personally I think Softaculous does the same thing...too many product updates in rapid succession, there's no way their fixes were appropriately tested, like with the OpenVZ configs in Virtualizor...first they told me that my concerns didn't warrant any changes, and that I was so far from correct that I was an inconvenience to them, and yet the next three versions addressed fixes for the very problems I'd reported months before. It's a pattern I'm just not down with. We all got by with manual provisioning, billing, and software installs 10 years ago, and I don't recall nearly as many suspicious activities. It's like a bunch of people got together and read all of the cPanel feature requests and whipped something off without considering all the angles. It makes providers like myself, who don't let automation/WHMCS control the fate of the business, look like something out of the stone age, when we're really only guilty of ensuring performance and integrity over speed and convenience. And somehow it all happened while I was holed up in my office, actually learning the industry rather than expecting it to somehow work for me. Just really frustrating sometimes, especially after realizing that people are buying a security flaw for $1.00. I've always had a weird feeling about cpaddons/addon domains...lately it seems like some of the very utilities I've disabled by default since day one are the ones ending up to be the most problematic.

    I didn't notice the malware scanner addon until after the converter. I almost hit the floor. Why not have a convicted felon install your home security system while you're at it?

    Okay, off the soapbox now. Sorry about that - if I get a roll going I barely realize how many paragraphs I've actually written. Hoping at least one person shares some of these feelings, otherwise my preplanned nervous breakdown is arriving far earlier than expected.
    Last edited by Johnny Cache; 11-18-2013 at 06:54 PM.

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Jeez, 45 minutes has got to fall into some sort of record.
    This one, I had snagged down within a couple minutes of installing it. I had gone through their entire suite in 45 minutes of work.

    The state of hosting security is scary, however not as scary by far as say 8 months ago. Some cPanel plugins are actually quite good now.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Quote Originally Posted by Steven View Post
    ...not as scary by far as say 8 months ago. Some cPanel plugins are actually quite good now.
    I agree that there's been significant changes as of late, and it's nice to be able to enjoy some downtime. Whether this is a calm before the storm -- that's more your department.

    As for plugins, I'm perfectly happy with having Softaculous for the clients, and the ConfigServer suite for myself. I had Installatron running alongside but yanked it out not long ago. It just seemed ... not right to me. That and I think 10 clients used it over the six months I was running it. Around that time a friend of mine who was running it said that some installations belonging to other users were being displayed globally under the list of installed apps. I know nothing about how he runs his server, but that was enough for me.

    Anyhoo. As it relates to the thread topic, even going through the entire suite that fast, I can't help but assume that you've still got your work cut out for you in the future. Maybe next time it'll take 55 minutes. I had this crazy idea about getting their malware addon, using the 11.36 container on my dev box, injecting the crap out of some WP/Joomla instances, and maybe drop a shell in there somewhere, just to see what's picked up and what's ignored, and then run CSX right behind it. Would be an interesting comparison. Good chatting with ya

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by jfnllc View Post
    Seems you guys were quite busy this weekend.
    You should see our pending release list, it's getting as long as our published list!

    We have a few big names to drop soon, hopefully this week, if the developers will get their acts together... super frustrating when we are given timelines and then they get pushed back, over and over.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by jfnllc View Post
    I agree that there's been significant changes as of late, and it's nice to be able to enjoy some downtime. Whether this is a calm before the storm -- that's more your department.

    As for plugins, I'm perfectly happy with having Softaculous for the clients, and the ConfigServer suite for myself. I had Installatron running alongside but yanked it out not long ago. It just seemed ... not right to me. That and I think 10 clients used it over the six months I was running it. Around that time a friend of mine who was running it said that some installations belonging to other users were being displayed globally under the list of installed apps. I know nothing about how he runs his server, but that was enough for me.

    Anyhoo. As it relates to the thread topic, even going through the entire suite that fast, I can't help but assume that you've still got your work cut out for you in the future. Maybe next time it'll take 55 minutes. I had this crazy idea about getting their malware addon, using the 11.36 container on my dev box, injecting the crap out of some WP/Joomla instances, and maybe drop a shell in there somewhere, just to see what's picked up and what's ignored, and then run CSX right behind it. Would be an interesting comparison. Good chatting with ya
    Their plugin is just a frontend to rfxn maldet.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Their plugin is just a frontend to rfxn maldet.
    I'll admit I wasn't aware of that, but $50 won't destroy me. Assuming they're maintained equally? Or at least pretty close..? Even if I had known, I would probably have donated the 50 bucks to rfxn anyway.

    Quite some time ago I tried out the Pyxsoft service. If I'm not mistaken it was more of a glorified ClamAV scan with ModSecurity controls, but it's been a while since I've used it. I'd have to check it again to be sure.

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by jfnllc View Post
    I'll admit I wasn't aware of that, but $50 won't destroy me. Assuming they're maintained equally? Or at least pretty close..? Even if I had known, I would probably have donated the 50 bucks to rfxn anyway.

    Quite some time ago I tried out the Pyxsoft service. If I'm not mistaken it was more of a glorified ClamAV scan with ModSecurity controls, but it's been a while since I've used it. I'd have to check it again to be sure.
    I mean the admin-ahead product is maldet.
    CXS is all config server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Quote Originally Posted by Steven View Post
    I mean the admin-ahead product is maldet.
    CXS is all config server.
    Ha okay I'm back with ya now.
    Now that I've seen their free APF frontend on their site it makes perfect sense.

Similar Threads

  1. Replies: 0
    Last Post: 11-18-2013, 12:11 PM
  2. WHMreseller - Privilege Escalation Vulnerability (R911-0074)
    By Steven in forum Hosting Security and Technology
    Replies: 1
    Last Post: 09-23-2013, 03:15 PM
  3. cPanel - Privilege Escalation Vulnerability (R911-0052)
    By Patrick in forum Hosting Security and Technology
    Replies: 0
    Last Post: 08-29-2013, 09:05 PM
  4. SecPanel - Privilege Escalation Vulnerability (R911-0045)
    By Steven in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-22-2013, 11:32 AM
  5. InterWorx - Privilege Escalation Vulnerability (R911-0038)
    By Patrick in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-08-2013, 01:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •