Major Exploit

[cpaneldave]

Quote:

Originally Posted by LS_Drew

Is an upcp --force gonna fix this crap or do we have to update all servers to edge/current? Can we have an official word on this...my freakin head hurts. Enough already...let's get this fixed.

Please read the security advisory. A update through /scripts/upcp will fix the issue. You can verify with the listed commands.

[cpaneldave]

Quote:

Originally Posted by 0utlier

am I completely patched up or not regardless of what the old checker script says?

Please run the check script in the security advisory. If this one says it is fixed, it is fixed.

[limweech]

the patch broke mysqladmin in x86-64 cPanel.

to reproduce, just login to cpanel, go to backup. under Download a MySQL Database Backup, there's the following error

Can't locate DynaLoader.pm in @INC (@INC contains: /usr/local/cpanel
/usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2
/usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0
/usr/lib/perl5/vendor_perl) at /usr/local/cpanel/Cpanel/Version.pm line 14. Compilation
failed in require at /usr/local/cpanel/bin/mysqladmin line 13. BEGIN failed--compilation
aborted at /usr/local/cpanel/bin/mysqladmin line 13.

please add lib64 to the patch.

[hbouma]

Quote:

Originally Posted by philb

What makes you say that upcp has not updated this server?

.

You're correct. I'm being stupid. Its been a long day and I wasn't reading that correctly. Thanks for pointing it out.

Hal

[sfxx]

Quote:

Originally Posted by davedark

Please run the check script in the security advisory. If this one says it is fixed, it is fixed.

Thank you for the confirmation.

[kernow]

I'm glad i ran the second "check" script released, as the first one wrongly said "safe".
Any way, after reading this email from cpanel we have now upgraded to the curent build.

Quote:

Due to a recently discovered bug, it will be necessary for users
who are running the CURRENT, RELEASE and STABLE branches to run a cPanel software update.

---------------------------------------------
Description:
---------------------------------------------
An uncompilied mysqladmin script allowed an exploited copy of MySQL.pm to be places within the directory location of mysqladmin. This copy of MySQL.pm would be given preference by mysqladmin due to the precedence order of perl module searches. A malicious user could then use an exploited copy of MySQL.pm to elevate their system access (including root access).

A patch for this issue has been released. Please note that this is a local issue and a system cannot be compromised remotely. The malicious user must have access to an account on the system to take advantage of this script.

All cPanel and WHM server will automatically receive a patch for this update. This patch has been applied to most servers and will be applied to the remaining number of servers during the scheduled update on Sunday night, September 25th, 2006. It can be applied manually as per the instructions below.

---------------------------------------------
References:
---------------------------------------------

None

---------------------------------------------
Affected Systems:
---------------------------------------------

All builds on all platforms are vulnerable up to and including (11.0.0
build 492), all builds after that have been fixed. All previous builds after 9.0.0
will be automatically patched by the updater if automatic updates are set.

---------------------------------------------
Fix Details:
---------------------------------------------
We recommend updating (if you do not wish to update see the manual patch instructions below) to the latest EDGE or CURRENT build as these builds include the latest security patch as well as additional protection (the underlying wrapper now contains vastly improved input sanitization). To do this, you will need to modify your upgrade settings thorugh the ‘Update Config’ function in the ‘Server Configuration’ menu of WebHost Manager.

Login to WebHost Manager
Naviagte to the the ‘Update Config’ function in the ‘Server Configuration’ menu.
Change your cPanel/WHM Updates option to CURRENT or bleeding EDGE (Automatic updates recommended).
Click on ‘Save’
Use the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.

You can also apply the patch without updating:

You can either run /scripts/upcp from the command line as root, or you can also upgrade from inside WebHostManager by using the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.

You may also apply just the patch manually through the following steps:

SSH into your server and gain root access
wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl

You can verified the server is patched by running:

wget -q -O - http://layer1.cpanel.net/installer/c...cker_092406.pl | perl

---------------------------------------------

If you find there is still a problem after updating to the version(s) mentioned above, please file a support ticket with the cPanel Technical Support team at https://tickets.cpanel.net/submit/in...eqtype=tickets


---------------------------------------------
Credits
---------------------------------------------
Information in this advisory was obtained from information provided from:
Brent Oxley (Host Gator)
Rob Brown (Blue Host)

[jamesbond]

So only CURRENT and EDGE also update cpwrap (besides the patch)?

Meaning the patched STABLE and RELEASE versions are less secure and could still be vulnerable to modified versions of the exploit? Or is this incorrect?

[nat]

After upgrading to current. 10.9.0-c27

For every user on every server when creating a mysql database...

"Database Created
Added the database testing1. Sorry, you have exceeded the maximum allowed databases. "

Cpanel shows the mysql database limits as 6/9999. 6 used, 9999 maximum.

----------

This is only for packages that have unlimited mysql databases.

Long ago when creating a package, if you left it mysql blank, it would take it as unlimited. It is now taking a blank in the feature set as being 0 instead of unlimited.

Just need to edit a million packages then readd thousands of addons.

[cPanelKyle]

Quote:

Originally Posted by nat

After upgrading to current. 10.9.0-c27

For every user on every server when creating a mysql database...

"Database Created
Added the database testing1. Sorry, you have exceeded the maximum allowed databases. "

Cpanel shows the mysql database limits as 6/9999. 6 used, 9999 maximum.

Please open a support ticket in regards to this and we will be glad to look into it for you.

[kernow]

Quote:

Originally Posted by jamesbond

So only CURRENT and EDGE also update cpwrap (besides the patch)?

Meaning the patched STABLE and RELEASE versions are less secure and could still be vulnerable to modified versions of the exploit? Or is this incorrect?

Thats the way i read it. Its this line below that made us upgrade to the Current build:

Quote:

We recommend updating (if you do not wish to update see the manual patch instructions below) to the latest EDGE or CURRENT build as these builds include the latest security patch as well as additional protection (the underlying wrapper now contains vastly improved input sanitization)

[kernow]

Quote:

Originally Posted by nat

After upgrading to current. 10.9.0-c27

10.9.0-c27 ???? We only got Current 10.9.0-c26 a few hours ago, .................. And now i see the lateset is : 10.9.0-CURRENT_28
(Mon Sep 25 02:59:48 2006)
http://layer2.cpanel.net/
So two version updates in a matter of hours,.............. Should we upgrade again ??

[cinusik]

I can confirm that upgrade to current 28 fixed mysql phpmyadmin issue on all our servers. Now all created databases are accessible thru cpanel's phpmyadmin. Thank you cPanel crew for hard work on thisone.

[jamesbond]

Perhaps this is also a good time for a REAL security audit.

Posts like this are not very comforting:

Quote:

Last week, on an unrelated project, we had a world class security services company come in and do an audit. One of the systems they tested was a Cpanel server.

Their comment, from a security point of view is that Cpanel is an open hole that any beginner should be able to hack in to in dozens of ways. They could not believe all the holes. They did a demo for me where they hacked a fully hardened server with all the latest updates and kernel in less than 5 minutes. They almost could not stop laughing at how easy it was.

http://www.webhostingtalk.com/showpo...7&postcount=44

[forlinuxsupport]

Well looks like this have finnally been sorted.. wow

A few observations I have noticed

1) Cpanel needs a quick way to let us know when there is a problem - namely a mailing list !!!!

2) This forum / thread needs much better control. I think I counted 3 separate and unrelated issues in here. Rather stick to the topic guys, or open a new topic for your problem.
(e.g .what has a missing mysql db got to do with ROOT escalation ??)

3) The changelog really needs to be update quicker and preferably BEFORE an update is run, so we need to know WHAT is being updated (and what might break). It a joke really !! I think it only useful for people who run their servers on Manual update (STABLE).

Hopefully this nice scare has woken us all up, including cpanel.

Well done to everyone who reported this + helped to troubleshoot it :
GOOD JOB Guys.

and thanks to Cpanel for not just buring their heads in the sand, nice quick reaction boys / girls

Im sure we will all learn from this, and cpanel will become even a better kick A$$ product

[kernow]

Quote:

Originally Posted by forlinuxsupport

1) Cpanel needs a quick way to let us know when there is a problem - namely a mailing list !!!!

If you bought or leased your licence from cpanel direct, you would have received an email from them ( as we did )
We also received emails from three other data centres where we lease servers regarding this issue, and yet another email from http://www.configserver.com/blog/.