A possible BUG that is very serious!! ROOT ACCESS

[jpabboud]

Ok one of my customers reported that he was able to type "su" in his jailshell and it gave him root without even asking for a password. I didn't believe it until I logged in using a regular account and typed su... before I could even realize I had root access on important folders on the system like /var /tmp /bin /usr.

This is of course a very serious BUG affecting my Cpanel WHM 9.4.0 cPanel 9.4.1-E73 on FreeBSD 5.2.1-RELEASE-p8, I'm not sure if it's an isolated problem or a general one so I would appreciate if some of you guys could test it on your own servers.


Jean-Pierre Abboud

[casey]

/bin/su permission denied

is the response I get.

[jpabboud]

Ok what version of Cpanel/Operating System ?

/bin/su permission denied

is the response I get.

[Seal]

/bin/su permission denied
RHE
WHM 9.4.0 cPanel 9.4.1-R64

[K_aneda]

Our /bin/su has permissions to execute and read removed from non-wheel and non-root users anyway. When moved back, tested with users, with and without jailshell, users cant escalate priveleges to uid=0. Running latest cPanel RELEASE.

[jpabboud]

Our /bin/su has permissions to execute and read removed from non-wheel and non-root users anyway. When moved back, tested with users, with and without jailshell, users cant escalate priveleges to uid=0. Running latest cPanel RELEASE.

I'm curious to see if any of those tests were done on a FreeBSD server, the FreeBSD jailshell has been really unstable/buggy so it wouldn't surprise me if it was affecting only FreeBSD servers.

[K_aneda]

Oops forgot to quote OS, Redhat Enterprise 3.0ES... yes it would, maybe we should ask the techs in the IRC channel, no?

[casey]

Ok what version of Cpanel/Operating System ?

CentOS, RH9 / Current build of cPanel

[jpabboud]

Oops forgot to quote OS, Redhat Enterprise 3.0ES... yes it would, maybe we should ask the techs in the IRC channel, no?

I immediately opened a ticket with Cpanel... What's the IRC server, channel (sorry never visited before).

[netwrkr]

Ok one of my customers reported that he was able to type "su" in his jailshell and it gave him root without even asking for a password. I didn't believe it until I logged in using a regular account and typed su... before I could even realize I had root access on important folders on the system like /var /tmp /bin /usr.

This is of course a very serious BUG affecting my Cpanel WHM 9.4.0 cPanel 9.4.1-E73 on FreeBSD 5.2.1-RELEASE-p8, I'm not sure if it's an isolated problem or a general one so I would appreciate if some of you guys could test it on your own servers.


Jean-Pierre Abboud

For future reference please send security related issues to security@cpanel.net. This is a public forum which everyone (cpanel owners and hackers) can view.

Thanks.

[cPanelBilly]

I just tested this on a
WHM 9.7.2 cPanel 9.7.2-E16
FreeBSD 5.1-RELEASE i386 - WHM X v3.1.0
server and was not able to replicate the issue. Can you please put in a ticket and either PM me the ticket # or post it here so I can have a look into it.

[cpanelnick]

I am also unable to verify this, tested 1 linux, 1 amd64 freebsd box and 3 i386 freebsd boxes.

[hicom]

I have tested it on 4.10 and did not work. With Jailshell you can't get SU at all. with regular shell obviously need to enter a password.

Must be something with your machine, bro.

[LP-Trel]

You may have been rooted and your su binary may have been modified. I recommend getting your box checked out.

[dandanfireman]

I have also been able to verify this. It appears that only a portion of the files are visible, possbily only those in virtfs, but su does execute and returns "root" when executing whoami command.