Results 1 to 11 of 11
-
11-18-2013, 12:12 PM #1Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Admin-Ahead Add-On Domain to Main Account Converter Privilege Escalation (R911-0086)
Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Admin-Ahead Add-On Domain to Main Account Converter
Website: http://admin-ahead.com/add-domain-ma...el-whm-plugin/
Vulnerable Version: 1.0.0
Fixed Version: 1.0.1
CVE: -
R911: 0086
Date: 2013-11-18
By: Rack911
Another feature to add to your cPanel WHM from the Admin-Ahead Team, the Add-On Domain to Main Account Converter cPanel WHM Plugin. Add this Plugin and click to convert an add-on domain to a main domain in seconds.
Vulnerability Description:
There is a privilege escalation vulnerability that would allow an attacker to obtain root access and/or take control of any file on the server.
Impact:
We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.
Vulnerable Version:
This vulnerability was tested against Admin-Ahead Add-On Domain to Main Account Converter v1.0.0 and is believed to exist in all prior versions.
Fixed Version:
This vulnerability was patched in Admin-Ahead Add-On Domain to Main Account Converter v1.0.1.
Vendor Contact Timeline:
2013-11-17: Vendor contacted via email.
2013-11-17: Vendor confirms vulnerability.
2013-11-18: Vendor issues 1.0.1 update.
2013-11-18: Rack911 issues security advisory.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 01:26 PM #2Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Seems you guys were quite busy this weekend.
I think this is one of the more disturbing plugins I've come across. I shuddered, read the description, and reread the two vuln fixes. Are some of these really just a few days old? Or do those timestamps reflect released updates? First I'd heard about this one. Then again I've never permitted addon domains on my cPanel environments ....but if they're falling behind already I'd be cautious of practically everything else. Kudos to them for at least acting quickly on it I suppose.
-
11-18-2013, 05:17 PM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Sadly it was more like 45 minutes.
I think this is one of the more disturbing plugins I've come across. I shuddered, read the description, and reread the two vuln fixes. Are some of these really just a few days old? Or do those timestamps reflect released updates? First I'd heard about this one. Then again I've never permitted addon domains on my cPanel environments ....but if they're falling behind already I'd be cautious of practically everything else. Kudos to them for at least acting quickly on it I suppose.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 06:51 PM #4Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Jeez, 45 minutes has got to fall into some sort of record.
See, that frustrates me even further and is one of the reasons I'm not taking on new shared orders now, and just supporting the existing clients. First of all I'm too busy with virtuals and management. Not only is it that I'm busy, but I know and trust every single shared client and I'm not going to risk that for five extra bucks -- seems like so much of this industry has been lost in a sea of automation, resellers, plugins, cpAddons, and everything else that's been hastily stuffed into cPanel the past couple of years. Just about every plugin/addon is, like you said, tossed out to users without any real Q.A. testing and verification. By the time they've patched a privilege escalation and sent it out, they're discovering that the patch created a spinoff path traversal vulnerability to a sensitive directory...or something like that.
Personally I think Softaculous does the same thing...too many product updates in rapid succession, there's no way their fixes were appropriately tested, like with the OpenVZ configs in Virtualizor...first they told me that my concerns didn't warrant any changes, and that I was so far from correct that I was an inconvenience to them, and yet the next three versions addressed fixes for the very problems I'd reported months before. It's a pattern I'm just not down with. We all got by with manual provisioning, billing, and software installs 10 years ago, and I don't recall nearly as many suspicious activities. It's like a bunch of people got together and read all of the cPanel feature requests and whipped something off without considering all the angles. It makes providers like myself, who don't let automation/WHMCS control the fate of the business, look like something out of the stone age, when we're really only guilty of ensuring performance and integrity over speed and convenience. And somehow it all happened while I was holed up in my office, actually learning the industry rather than expecting it to somehow work for me. Just really frustrating sometimes, especially after realizing that people are buying a security flaw for $1.00. I've always had a weird feeling about cpaddons/addon domains...lately it seems like some of the very utilities I've disabled by default since day one are the ones ending up to be the most problematic.
I didn't notice the malware scanner addon until after the converter. I almost hit the floor. Why not have a convicted felon install your home security system while you're at it?
Okay, off the soapbox now. Sorry about that - if I get a roll going I barely realize how many paragraphs I've actually written. Hoping at least one person shares some of these feelings, otherwise my preplanned nervous breakdown is arriving far earlier than expected.Last edited by Johnny Cache; 11-18-2013 at 06:54 PM.
-
11-18-2013, 07:16 PM #5Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Jeez, 45 minutes has got to fall into some sort of record.
The state of hosting security is scary, however not as scary by far as say 8 months ago. Some cPanel plugins are actually quite good now.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 09:02 PM #6Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
I agree that there's been significant changes as of late, and it's nice to be able to enjoy some downtime. Whether this is a calm before the storm -- that's more your department.
As for plugins, I'm perfectly happy with having Softaculous for the clients, and the ConfigServer suite for myself. I had Installatron running alongside but yanked it out not long ago. It just seemed ... not right to me. That and I think 10 clients used it over the six months I was running it. Around that time a friend of mine who was running it said that some installations belonging to other users were being displayed globally under the list of installed apps. I know nothing about how he runs his server, but that was enough for me.
Anyhoo. As it relates to the thread topic, even going through the entire suite that fast, I can't help but assume that you've still got your work cut out for you in the future. Maybe next time it'll take 55 minutes. I had this crazy idea about getting their malware addon, using the 11.36 container on my dev box, injecting the crap out of some WP/Joomla instances, and maybe drop a shell in there somewhere, just to see what's picked up and what's ignored, and then run CSX right behind it. Would be an interesting comparison. Good chatting with ya
-
11-18-2013, 09:12 PM #7Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
You should see our pending release list, it's getting as long as our published list!
We have a few big names to drop soon, hopefully this week, if the developers will get their acts together... super frustrating when we are given timelines and then they get pushed back, over and over.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-18-2013, 09:33 PM #8Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 09:45 PM #9Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Their plugin is just a frontend to rfxn maldet.
Quite some time ago I tried out the Pyxsoft service. If I'm not mistaken it was more of a glorified ClamAV scan with ModSecurity controls, but it's been a while since I've used it. I'd have to check it again to be sure.
-
11-18-2013, 09:50 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 10:12 PM #11Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Similar Threads
-
Admin-Ahead Add-On Domain to Main Account Converter - Command Execution (R911-0085)
By Steven in forum VulnerabilitiesReplies: 0Last Post: 11-18-2013, 12:11 PM -
WHMreseller - Privilege Escalation Vulnerability (R911-0074)
By Steven in forum Hosting Security and TechnologyReplies: 1Last Post: 09-23-2013, 03:15 PM -
cPanel - Privilege Escalation Vulnerability (R911-0052)
By Patrick in forum Hosting Security and TechnologyReplies: 0Last Post: 08-29-2013, 09:05 PM -
SecPanel - Privilege Escalation Vulnerability (R911-0045)
By Steven in forum Hosting Security and TechnologyReplies: 0Last Post: 07-22-2013, 11:32 AM -
InterWorx - Privilege Escalation Vulnerability (R911-0038)
By Patrick in forum Hosting Security and TechnologyReplies: 0Last Post: 07-08-2013, 01:07 PM