cpanel bug / Get root access with root password

[majidnt]

cpanel have a bug!
see this clip ! http://www.ihsteam.com/cms/modules/m...sit.php?lid=41
advisory http://www.ihsteam.com/cms/modules/m...sit.php?lid=40

[chirpy]

Then you should have contacted cPanel through the standard channels, i.e. emailed security@cpanel.net.

That is correct. If you manage to guess the server owners root password you will have access to all accounts on the server. Just like if you have the servers root password you can login to root via shell.

Sorry this is not a bug/exploit. This is how linux works.

[richy]

I think I understand how this could be a bug...

Under normal operation, you would have to know that "root" has the password of "defpass" to be able to login as root. So you need to know two things - the username and the password.

However, due to the reseller drop down box option - you only need to know/guess the password. So, for example, if your customer decides to use the password "defpass" and then logs in - the cPanel control panel will show the "Change domain" dropdown menu which will give them access to other peoples accounts and they may then attempt to try logging in as root with that password.

Ok, if you have relatively secure passwords such as Q69x73PF or u962THK2 or 79r4KE6F (Firefox's Secure Password generator is so handy!), the chance of a user being able to guess the password you happen to be using is quite low, but it still takes away the "two items needed" standard security of Linux.

So what can cPanel Inc do? Well, they could remove the "Reseller/WHM drop down" menu which appears on cPanel - it won't avoid the bug, but would provide no indication to a user that they have happened to set their password to the same as the root user. cPanel Inc could also remove the very handy "login as customer using reseller/root password" option and only allow access via the WHM List account option (meaning that the username+password combination comes back into force). But that's about it and it's not "that big" a security issue as long as you have relatively secure passwords IMHO (but it's still a slight issue).

Other things cPanel could do to minimise the effectiveness of this bug: Limit the number of password changes a user could make in a set time frame (does a user really need to change their password more than twice in any 24hours?), ensure incorrect logins to control panels are logged so servers running something like BFD can pick up invalid logins and block IP addresses (we've all probably got BFD checking for invalid SSH root logins - but how about invalid cPanel/WHM logins?), add IP address restrictions to the root WHM system (even support .htaccess would be fine).

[anup123]

Quote:

Originally Posted by cPanelBilly

That is correct. If you manage to guess the server owners root password you will have access to all accounts on the server. Just like if you have the servers root password you can login to root via shell.

Sorry this is not a bug/exploit. This is how linux works.

If it's an issue with all accounts under reseller being visible (or for that matter root) due a Accidental/Lucky Passwd Guess, eliminating that Drop down list altogether shouldn't prove to be a handicap in terms of functional utility on the whole. Reseller (root) as it is can still go to individual accounts under them from their WHM, but at least the account owner wouldn't know that he has hit the Jackpot!

This is if i understand what's presented in the thread.

Thanks
Anup

[PWSowner]

If I understand correctly, the only real issue here is whether or not root or resellers use good enough passwords to not be chosen by someone else. With a 12 character password using all allowable characters, you have at least 37133262473195501387776 possibilities. 2 people should never have the same passwords.

[rpmws]

I guess what this winds up meaning is like this:

with "root" you don't have to guess the username ..you know it. One posibility only. But you would have to guess the password. you have one possible "root" username that would be correct. If you can use any of the users and the root password you have that number of possible matches for the username (total on box) and the password you have only one posibility. So if someone gets on the cpanel as "joblow" and actually guesses the only root password ..he will figure out that he has the root password ..which means he can try "root" and that same (root) password elsewhere also on the box ..ssh and whatever else. Am i on the right track with what this means? So he would have to do this guessing attack against the cPanel 2082 login right?

[Specks]

From what I see its required that you use your root or reseller account password when making an account in order for this to work. I don't think anyone in their right mind would use their root or reseller password as a customers initial password. I would think this has a low to nill chance of being exploited. If a person uses their password like that, they're just asking for it.

[shulshof]

Quote:

Originally Posted by cPanelBilly

That is correct. If you manage to guess the server owners root password you will have access to all accounts on the server. Just like if you have the servers root password you can login to root via shell.

Sorry this is not a bug/exploit. This is how linux works.

If my own user lets say "shulshof" has the same password as root, I do not get root access, this is not how unix works. That is my understanding of what happened. Please correct me if I am wrong. But being a "normal" user having a root password is what happened.

The chances of this happening, almost zero. Still a bug and should be fixed (if my understanding of the problem is correct)


Steve

[Jortex]

There is one other measure you can add that i dont thinks been mentioned.

Disable direct root login

That way the "hacker" has to enter two logins :

wheel group user and pass
root pass

Now of course if this user has the root pass he can easily add himself to the wheel group via root whm but nonetheless its another measure in place.

Another way would be to change the ssh port.

Of course the above methods only affect ssh logins.

It is a very, very slight chance that the user picks a password identical to the root password but its still a chance, what can be done about it? not much i think.

[Jortex]

I also see where shulshof is coming from, for example:

If a client signs up say under the login of:

User: demoacc
Pass: 12345678

And say for this example the root pass is : 12345678

when he goes to sign in at domain/cpanel using his login then he is going to be seeing a lot more then he should.

All accounts owned by root will be selectable via the drop down list.

Not very secure, but also not very likely to happen.

[brianoz]

If you guess the root password, you have access to everything on the box. If I guess *your* password, I've got access to everything in your account. That's just the way operating systems work.

Perhaps the only vulnerability here is the presence of the dropdown box. Cpanel could possibly make the drop-down box a configurable option for prospective security experts who are concerned about this. Or, could possibly detect an attempt to change a password to the root password and refuse it at the time of the change, but that's about it. Actually, there probably is a useful fix here - if a user password is the same as the root password, don't assume it's root trying to log in. I guess currently that cpanel checks for a root password before checking for the user password and I'm suggesting a reversal of order in the checks.

Really, there's no substitute for a good root password. In training sysadmins in basic security the FIRST thing we teach them is to choose good passwords. If you can't do that part, then it's nearly pointless working on any other aspect of security.

Of course, there's the other part of this, in that cpanel and WHM don't enforce good passwords as far as I know (I don't try to set bad passwords so I wouldn't run into that restriction). That in itself would be a meaningful and helpful security enhancement. They'd want to run a dictionary check, and check for permutations of the user name. Since the admin doesn't get to control what users reset their passwords to, this would be a good move for the industry.

[rpmws]

Quote:

Originally Posted by brianoz

If you guess the root password, you have access to everything on the box. If I guess *your* password, I've got access to everything in your account. That's just the way operating systems work.

Perhaps the only vulnerability here is the presence of the dropdown box. Cpanel could possibly make the drop-down box a configurable option for prospective security experts who are concerned about this. Or, could possibly detect an attempt to change a password to the root password and refuse it at the time of the change, but that's about it. Actually, there probably is a useful fix here - if a user password is the same as the root password, don't assume it's root trying to log in. I guess currently that cpanel checks for a root password before checking for the user password and I'm suggesting a reversal of order in the checks.

Really, there's no substitute for a good root password. In training sysadmins in basic security the FIRST thing we teach them is to choose good passwords. If you can't do that part, then it's nearly pointless working on any other aspect of security.

Of course, there's the other part of this, in that cpanel and WHM don't enforce good passwords as far as I know (I don't try to set bad passwords so I wouldn't run into that restriction). That in itself would be a meaningful and helpful security enhancement. They'd want to run a dictionary check, and check for permutations of the user name. Since the admin doesn't get to control what users reset their passwords to, this would be a good move for the industry.

I have been talking to Nick for a few times now about working on better password strengths when cPanel is used to create a new password. It is going to be added soon where all passwords will be tested for strangth. FTP accounts are a common problem becuase they open a spot for hackers to put their web files and actually run them through apache. So added FTP, pop, mySQL are just a start for better password management tests. I can't tell you how many idiots use "password" for their password. These new measures will help prevent that. Nick told me this feature might wind up in EDGE soon.

[chirpy]

Quote:

Perhaps the only vulnerability here is the presence of the dropdown box. Cpanel could possibly make the drop-down box a configurable option for prospective security experts who are concerned about this.

That feature is there in RELEASE upwards now in WHM > Tweak Settings

Quote:

I have been talking to Nick for a few times now about working on better password strengths when cPanel is used to create a new password.

That's been in bugzilla for an age
http://bugzilla.cpanel.net/show_bug.cgi?id=2082

[rpmws]

I see that. Won't be long