A serious cpanel vuln?
I am posting this because of a recent attack. The user was able to run some sort of script, I'm not sure what, and could access anyone files and any accounts through cpanel. Anyone familiar with such a problem or any place I could read up on some similar attacks?
Thanks.
How do you know this if "you are not sure what"?
If you have have php open base directory disabled in Main >> Server Setup >> Tweak Security then that's probably your problem though it's probably a good idea to switch on safemode too, read my post here: http://forums.cpanel.net/showthread.php?t=34831
are you positive it was through cpanel? How do you know this?
I'd guess, without seeing anything, that you had an insecure script in a user's account, that was exploited to upload a script or binary program onto the server and exploit the server further.
Check all of your log files... details should be in one of them. Which one depends on the entry method. Use grep. I'd check apache logs first.
Hire a competent server admin to secure your system for you... and then read up and learn about what he did.
Well we do know one thing, he ran some sort of script to do all of this. We have been having problems with this issue, people can register an account and upload this script thats going around (not sure what it is) and then take over others accounts whenever they want.
Sorry that I don't have much information, they claimed it was a cpanel vulnerability. I tried to get the CPanel Vuln Scanner from A-SQUAD but it does not seem to work for me to see if I'm vulnerable to a few exploits.
Thanks for the information posted above.
Ok I tried the script you provided. It does show the files but it also does gives errors like:
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moorer/public_html/test.php</b> on line <b>5</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moorer/public_html/test.php</b> on line <b>6</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moomoorerpublic_html/test.php</b> on line <b>7</b><br />
<br />
If I add error_reporting(0); to the top of the script, and add newline capabilities, that right there shows me the entire home directory for that user. That is insane.
Last edited by moorer; 01-27-2005 at 01:33 PM.
Sounds like you have error reporting up too high?Originally Posted by moorer
My code is a very basic example, just enough to demonstrate the problem but yes it could be modified to list directories etc.. Imagine what people could do with something like QuiXplorer from: http://quixplorer.sourceforge.net/ if you are not properly protected?
PHP Checklist:
Main >> Server Setup >> Tweak Security >> Php open_basedir Tweak <- ENABLE
Main >> Server Setup >> Tweak Security >> mod_userdir Tweak <- ENABLE
Also edit your php.ini file!
safe_mode = On
safe_mode_gid = Off
This will put a stop to all but the harderned php script kiddies but if you have compiled php with support for curl you may still be at risk unless you make sure that curl is compiled WITHOUT local file access!
I tried testing the curl script. When I ran it, it just showed a blank page? I'm not sure if this means its a positive result.
Oh wow! That file management program is killer. I just tried it, set the user to a different user then myself, and it shows everything, manageable.. This is a huge problem! Thank you so much for your time.
What happens when you do:
PHP Code:<?php
$ch = curl_init("file:///etc/passwd");
$fr = curl_exec($ch);
echo $fr;
?>
Oh wow... I got a lot of stuff from that. All the users and path locations.. Damn, so basically a user could steal all the password information and users and crack them with like John the Ripper?
BTW curl is compiled without local file access, what else could I do?
Last edited by moorer; 01-27-2005 at 10:25 PM.
Fortunately they would also need to get hold of /etc/shadow which is only readable by root but a list of usernames is still a serious breach of security and is still one half of authenticationOh wow... I got a lot of stuff from that. All the users and path locations.. Damn, so basically a user could steal all the password information and users and crack them with like John the Ripper?
Install chkrootkit, tripwire, apf firewall, blah blah blah etc...
There's a lot you can do to help protect your box
Last edited by weaver; 01-27-2005 at 10:30 PM.
I mean is there not a setting that I can do to stop that curl vulnerability? Firewall and such we are ok on.
Ok, the php openbase diretectory is disabled now. It's not vulnerable anymore, thank you very much for that. Now we need to focus on this curl vulnerability. I was reading on securityfocus to disable CURL support for PHP. But then WMH does not work properly without it, and local file access has been disabled. Still can traverse outside any folder. Any ideas?
It's not a vulnerability, it's how virtual web hosting works. You have to live with it and protect your server as much as possible.
You can go ahead and use open_basedir protection in PHP, but it is trivial in the extreme to do exactly the same thing in perl and you cannot stop it.
One thing you should always do is run:
/scripts/enablefileprotect
Though, again, this is just obscuring directories and it is easily worked around.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
LinkBack URL
About LinkBacks
Reply With Quote
