Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Cpanel root exploit not really patched. READ

[hostgator.com]

We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable.

What you need to do is run /scripts/upcp --force


A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe"


After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market.

Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.

[ServerSupportGuys]

Quote:

Originally Posted by hostgator.com

Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.

wow.. that's bold.

I'm not sure opening source to the community would be a method of making things anymore secure. lol.

[xxkylexx]

Thanks for the info!

[hostgator.com]

Sorry let me clarify that....

I don't want the community to have it, but if a few of my admins at hostgator and bluehost could get some of it we'll be able to secure it. After all we discovered this root exploit, and bluehost knows of a few other root exploits that still work.

[ServerSupportGuys]

Quote:

Originally Posted by hostgator.com

I don't want the community to have it, but if a few of my admins at hostgator and bluehost could get some of it we'll be able to secure it. After all we discovered this root exploit, and bluehost knows of a few others that still works.

I think if cPanel did i'd probably discontinue use of it all together. and no the exploit discovered you... and use you as it's stage to make it's appearance. The way it looks ... the guys basically did everything but made tea on the servers before anyone even realized it was rooted.

I have confidence nick and his team will resolve this issue. I just hope after all said and done they continue looking/auditing. I think they owe that much to their customers. These major holes every couple months are destroying businesses.

[David]

Quote:

Originally Posted by ServerSupportGuys

wow.. that's bold.

I'm not sure opening source to the community would be a method of making things anymore secure. lol.

Sure it would. Not immediately but as you can see the blackhats are certainly finding the exploits without having the source so at least it would even the playing field.

[OpenReaction]

Thanks for the heads up!

[ServerSupportGuys]

Yeah i'm not convinced it would. I think it would give the "blackhats" even more insight as to how things work internally. Sure eventually it might improve the quality of the source.. but not for a long time and many disasterous exploits later.

I'm not sure any cpanel webhosts would even exist before it actually evolved to a level that would meet Tim Greer's standards ;-)

[David]

Disasterous exploits?
Like for example.. the ones that are occurring right now?

I don't think it gets any worse than it is right about now.
I know that I'm on the brink of setting up my first DirectAdmin server and abandoning cPanel alltogether.

[Tim Greer]

My standards are admittedly pretty high. I expect things to not result in root exploits via an suid binary that was created by a guy that has no business coding in the first place, but I digress. No reason to debate about this, really, we all want the same result--this issue to be resolved and promptly. Having software with this track history, knowing the people behind it (I don't mean to start anything, but that's how it is), and the fact that this program is compiled, we are left with trust it works. Now, even the updates aren't applying this patch--a patch that only covers some of the aspects and leaves opportunity for further immediate root exploits. This is troubling.

I don't expect Cpanel to share its source, though I'm pretty confident that, like everything else, it's some hack job on some already existing (poorly coded) open source code, or some off the wall code snippet from a google search for some simplistic c wrapper code. Cpanel/WHM run as privileged users already, what's the purpose of risking this with an obviously exploitable suid root script/binary anyway? If the coders were professionals and not people that started out as kids guessing as they went along and created a bigger mess each time, I'd be okay with it, but the track record here doesn't make me confident. That said, I'd like to see them provide the relevant portions of the code to those that can help audit it, but I won't go on about the debate anyway, they'll likely never release it. Anyway, I've got a ton of work to do.

[ServerSupportGuys]

Quote:

Originally Posted by David

Disasterous exploits?
Like for example.. the ones that are occurring right now?

I don't think it gets any worse than it is right about now.
I know that I'm on the brink of setting up my first DirectAdmin server and abandoning cPanel alltogether.

Yeah lol - exactly. The difference is it will be a weekly or monthly occurance rather than quarterly

[ServerSupportGuys]

Quote:

Originally Posted by Tim_Greer

I don't expect Cpanel to share its source, though I'm pretty confident that, like everything else, it's some hack job on some already existing (poorly coded) open source code, or some off the wall code snippet from a google search for some simplistic c wrapper code. Cpanel/WHM run as privileged users already, what's the purpose of risking this with an obviously exploitable suid root script/binary anyway? If the coders were professionals and not people that started out as kids guessing as they went along and created a bigger mess each time, I'd be okay with it, but the track record here doesn't make me confident. That said, I'd like to see them provide the relevant portions of the code to those that can help audit it, but I won't go on about the debate anyway, they'll likely never release it. Anyway, I've got a ton of work to do.

wow... spoken very eloquently LOL!!

[hbouma]

Tim,

Thanks for confirming my hunch. I didn't think cPanel would get updated by just running /scripts/upcp since the cPanel binaries are only updated when the versions don't match. Since stable/release are on the same version, they don't get any new binaries and thus no patch.

I didn't say anything sooner (because I didn't have a way to test if it was closed) because I didn't think cPanel would be that clueless when it comes to their own update system. But you proved me wrong on that.

I'm now going back and reupdating my servers now.

Hal

[RAIS]

Quote:

Originally Posted by David

Disasterous exploits?
Like for example.. the ones that are occurring right now?

I don't think it gets any worse than it is right about now.
I know that I'm on the brink of setting up my first DirectAdmin server and abandoning cPanel alltogether.

LMFAO

ME TOO

However, I was thinking Plesk or DirectAdmin.

I will see how this plays out abit first.

[linuxredux]

Quote:

Originally Posted by hbouma

Tim,

Thanks for confirming my hunch. I didn't think cPanel would get updated by just running /scripts/upcp since the cPanel binaries are only updated when the versions don't match. Since stable/release are on the same version, they don't get any new binaries and thus no patch.

I didn't say anything sooner (because I didn't have a way to test if it was closed) because I didn't think cPanel would be that clueless when it comes to their own update system. But you proved me wrong on that.

I'm now going back and reupdating my servers now.

Hal

From the ongoing thread in the cPanel forums this appears to be the case, Nick Koston was fielding complaints about the safe/unsafe discrepencies until around 2AM this AM.

Generally speaking as a cPanel "partner" I'm annoyed that we've gotten a majority of our information from webhostingtalk.com and hostgator's forums on what is clearly an issue that warrants an immediate and direct letter to everyone on their distributor/partner mailing list.

I understand the need to keep the details regarding their setuid wrapper exploitable issues under wraps until people have a chance to update their systems, but a forewarning to cpanel partners/distributors via some kind of direct communication seems warranted, or perhaps I'm just out in left field on this.

For Brent and his team, sympathies go out, this is truly an absurd situation, and is clearly just the tip of the iceberg given Matthew's comments in the slashdot thread on this matter.

Serversupportguy: It could go either way on open sourcing the platform after this series of fires is put out. The most feasible and most likely scenario knowing cPanel's history with keeping their product closed, is the codebase should be audited by a reputable security group and findings (after fixed) made public to cpanel customers. An audit of this nature should occur at least once a quarter given the rate of new features and updates that have been pushed into Edge/Current.

I personally would prefer that the codebase not be made viewable to *only* a select handful of cpanel customers. Regardless of size, we all have the same stake in this control panel, and if it is going to be made open, it needs to be open to all of us using the product.