cPanel Apache mod_phpsuexec Options Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1010270
|
|
SecurityTracker URL: http://securitytracker.com/id?1010270
|
|
CVE Reference: CAN-2004-0490
(Links to External Site)
|
Updated: Jun 7 2004
|
Original Entry Date: May 24 2004
|
Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system
|
Description: A vulnerability was reported in cPanel when used with the Apache mod_phpsuexec option. A local user can execute arbitrary code with the privileges of another user.
Rob Brown reported that the software uses incorrect options to compile Apache 1.3.29 and PHP with the mod_phpsuexec option (mod_phpsuexec
is not a default option). The PHP application can reportedly be made to execute applications using a modified PATH_INFO variable.
A local user can execute arbitrary PHP code (including operating system commands) with the privileges of any user on the system
that owns a PHP file.
A demonstration exploit script is available at:
http://64.240.171.106/cpanel.php
|
Impact: A local user can execute arbitrary commands with the privileges of a target user.
|
Solution: The vendor has reportedly issued a fix as of April 15, 2004.
The report also indicates that only systems running Apache 1.3.29 or older are vulnerable, so you can update to a more recent version to correct the flaw.
|
Vendor URL: www.cpanel.net/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Rob Brown <rob@asquad.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 24 May 2004 03:08:42 -0000
From: Rob Brown <rob@asquad.com>
Subject: cPanel mod_phpsuexec Vulnerability
|
Severity: High, Arbitrary Execution, Local Privilege Escalation
Background:
cPanel is a common web hosting management system written by cpanel.net installed on UNIX Operation Sy
stems to help manage web, email,
ftp, databases, and other administrative tasks.
Problem Description:
The options used by cPanel software to compile Apache 1.3.29 and PHP using the mod_phpsuexec option a
re flawed and allow any local
user to execute arbitrary code as any other user owning a web accessible php file.
Impact:
Fortunately, mod_phpsuexec is not enabled by default so the majority of systems using cPanel should n
ot be vulnerable. But for those
machines that are vulnerable, all users on the machine are in danger. Any local user can destroy fi
les, deface web sites, or aquire
full access to all databases used by anyone on the machine that owns a file ending in .php.
Proof of Concept:
This tester php script http://64.240.171.106/cpanel.php can be used to test your configuration to see
if it is vulnerable. See http://www.a-squad.com/audit/
for more details. If left unmodified, this script will do no harm. It will just tell you if your s
ystem is safe or how to secure
it if it is vulnerable.
How it works is by ensuring that /usr/bin/php will execute SCRIPT_FILENAME instead of the PATH_INFO i
f both environment settings exist.
If it doesn't then the system is vulnerable because PATH_INFO can easily be spoofed on the browser.
Any user can change another user's password by temporarily tweaking the target user's .contactemail f
ile just long enough to reset
this user's password using the built-in cpanel reset method. To prevent this, disable the ability t
o reset passwords in the WHM.
Any user can obtain root access on the machine by manipulating one of the admin accounts' .bashrc fil
e to alias "su" to "fakesu" or
any trojan that logs keystrokes and obtain the root password next time this admin user logs in and t
ries to "su" to root. It's easy
to find out admin users with "su" privileges by running "grep wheel /etc/group"
or by running "last" to see which of these users
logged in recently. Due to the severity of this vulnerability, the "fakesu" trojan code w
ill not be provided, though it has been
tested and is known to work. To prevent this, don't let anyone that can create a .php script be in
the "wheel" group.
Solution:
Upgrade to Apache 1.3.31 or higher. Only systems running Apache 1.3.29 or older can be vulnerable.
I already notified the cPanel
authors of this vulnerability and it has been repaired. Only Apache configurations compiled before
Apr 15, 2004 are vulnerable.
Let me know if you need any more details.
--Rob Brown
A-Squad.Com
|
|
