The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A serious cpanel vuln?

Discussion in 'General Discussion' started by moorer, Jan 27, 2005.

  1. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I am posting this because of a recent attack. The user was able to run some sort of script, I'm not sure what, and could access anyone files and any accounts through cpanel. Anyone familiar with such a problem or any place I could read up on some similar attacks?

    Thanks.
     
  2. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    How do you know this if "you are not sure what"?

    If you have have php open base directory disabled in Main >> Server Setup >> Tweak Security then that's probably your problem though it's probably a good idea to switch on safemode too, read my post here: http://forums.cpanel.net/showthread.php?t=34831
     
  3. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    are you positive it was through cpanel? How do you know this?

    I'd guess, without seeing anything, that you had an insecure script in a user's account, that was exploited to upload a script or binary program onto the server and exploit the server further.

    Check all of your log files... details should be in one of them. Which one depends on the entry method. Use grep. I'd check apache logs first.

    Hire a competent server admin to secure your system for you... and then read up and learn about what he did.
     
  4. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Well we do know one thing, he ran some sort of script to do all of this. We have been having problems with this issue, people can register an account and upload this script thats going around (not sure what it is) and then take over others accounts whenever they want.

    Sorry that I don't have much information, they claimed it was a cpanel vulnerability. I tried to get the CPanel Vuln Scanner from A-SQUAD but it does not seem to work for me to see if I'm vulnerable to a few exploits.

    Thanks for the information posted above.
     
  5. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Ok I tried the script you provided. It does show the files but it also does gives errors like:

    <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moorer/public_html/test.php</b> on line <b>5</b><br />
    <br />
    <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moorer/public_html/test.php</b> on line <b>6</b><br />
    <br />
    <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/moorer/public_html/test.php:11) in <b>/home/moomoorerpublic_html/test.php</b> on line <b>7</b><br />
    <br />


    If I add error_reporting(0); to the top of the script, and add newline capabilities, that right there shows me the entire home directory for that user. That is insane.
     
    #5 moorer, Jan 27, 2005
    Last edited: Jan 27, 2005
  6. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Sounds like you have error reporting up too high?

    My code is a very basic example, just enough to demonstrate the problem but yes it could be modified to list directories etc.. Imagine what people could do with something like QuiXplorer from: http://quixplorer.sourceforge.net/ if you are not properly protected?
     
  7. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    PHP Checklist:

    Main >> Server Setup >> Tweak Security >> Php open_basedir Tweak <- ENABLE
    Main >> Server Setup >> Tweak Security >> mod_userdir Tweak <- ENABLE

    Also edit your php.ini file!

    safe_mode = On
    safe_mode_gid = Off


    This will put a stop to all but the harderned php script kiddies but if you have compiled php with support for curl you may still be at risk unless you make sure that curl is compiled WITHOUT local file access!
     
  8. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I tried testing the curl script. When I ran it, it just showed a blank page? I'm not sure if this means its a positive result.
     
  9. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Oh wow! That file management program is killer. I just tried it, set the user to a different user then myself, and it shows everything, manageable.. This is a huge problem! Thank you so much for your time.
     
  10. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    What happens when you do:

    PHP:
    <?php 
    $ch 
    curl_init("file:///etc/passwd"); 
    $fr curl_exec($ch); 
    echo 
    $fr
    ?> 
     
  11. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Oh wow... I got a lot of stuff from that. All the users and path locations.. Damn, so basically a user could steal all the password information and users and crack them with like John the Ripper? :eek:


    BTW curl is compiled without local file access, what else could I do?
     
    #11 moorer, Jan 27, 2005
    Last edited: Jan 27, 2005
  12. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Fortunately they would also need to get hold of /etc/shadow which is only readable by root but a list of usernames is still a serious breach of security and is still one half of authentication :(

    Install chkrootkit, tripwire, apf firewall, blah blah blah etc...

    There's a lot you can do to help protect your box ;)
     
    #12 weaver, Jan 27, 2005
    Last edited: Jan 27, 2005
  13. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I mean is there not a setting that I can do to stop that curl vulnerability? Firewall and such we are ok on.
     
  14. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Ok, the php openbase diretectory is disabled now. It's not vulnerable anymore, thank you very much for that. Now we need to focus on this curl vulnerability. I was reading on securityfocus to disable CURL support for PHP. But then WMH does not work properly without it, and local file access has been disabled. Still can traverse outside any folder. Any ideas?
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's not a vulnerability, it's how virtual web hosting works. You have to live with it and protect your server as much as possible.

    You can go ahead and use open_basedir protection in PHP, but it is trivial in the extreme to do exactly the same thing in perl and you cannot stop it.

    One thing you should always do is run:

    /scripts/enablefileprotect

    Though, again, this is just obscuring directories and it is easily worked around.
     
  16. moorer

    moorer Member

    Joined:
    Jan 27, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    How is this possible that it's just how it works? I don't see why a user should be able to go out of his directory by using scripts just because they have an account on the server.. What does this fileprotect do?


    Also, how would a user do it in perl/cgi? I mean, can you do any examples? I'm very curious so we can watch for the activity.
     
    #16 moorer, Jan 28, 2005
    Last edited: Jan 28, 2005
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sure, here's one I posted months ago:
    http://forums.cpanel.net/showthread.php?p=140348

    You really do have to understand that this is how web hosting in a shared environment works. The only way you will really get around it is to use VPS's instead.
     
  18. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    That about sums it all up in one line :)
     
Loading...

Share This Page