Changes to Privilege Escalation in 11.38

[higherlogic]

The documentation makes no mention of any changes for this, as it still lists examples for 11.36:

Privilege Escalation with cPanel API Calls

My custom module makes calls to an admin script, but now I'm getting errors I've never seen before (I've renamed any instance of the module or admin script name to Foo or foo):

warn [Foo::get_domains] Encountered error in Foo::get_domains: Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS

Ok, so we have the module here (the call is made from cPanel to the get_domains function, which calls the DOMAINS command in the admin script):

/usr/local/cpanel/Cpanel/Foo.pm

And then admin script here:

/usr/local/cpanel/bin/fooadmin

Both worked fine in 11.36, as I updated the code to use YAML as suggested. These errors follow the one above:

cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin
cpwrapd: adminbin config file: /usr/local/cpanel/bin/fooadmin.conf missing mode value: will use 'simple'.

No mention of what legacy mode is or anything about a configuration file for admin scripts in the documentation.

Then we get these two errors, which seem the most relevant:

warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[foo] function=[DOMAINS]: set error in context foo: statusmsg=[Cpanel::AdminBin::Server: Received syntax ok from adminbin without data: Cpanel/foo/DOMAINS] at /usr/local/cpanel/Cpanel/Wrap.pm line 128

Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'foo', 'function', 'DOMAINS', 'data', 'cpuser 1', 'action', 'fetch', 'env', HASH(0x43d0970)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214

Followed by these errors:

Cpanel::AdminBin::_adminfetch('module', 'foo', 'function', 'DOMAINS', 'format', '', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x2090c30)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139

Cpanel::AdminBin::adminfetchnocache('foo', '', 'DOMAINS', '', 'cpuser', 1) called at /usr/local/cpanel/Cpanel/Foo.pm line 261

Cpanel::Foo::Foo_get_domains('add_www', 1) called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110

eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110

Cpanel::Api2::Exec::api2_exec('Foo', 'get_domains', HASH(0x7faf176a86c0), HASH(0x210d550)) called at cpanel line 979

main::real_cpexectag('<?cp Foo::get_domains([option]%[/option], hostname) add_www=1 ?>') called at cpanel line 4138

To summarize, module and admin script worked fine in 11.36 and no longer work now. It's not just this function, but all functions (commands) in the admin script that fail.

 

[cPanelNick]

Please use Cpanel::AdminBin::Serializer instead of Cpanel::YAML. We are in the process of generating additional documentation for these changes. In the mean time, [email protected] should be able to help out with the specifics.

 

[cPanelNick]

Also it might help to take a look at how cloudflare's adminbin was updated for 11.38:

https://github.com/cloudflare/CloudFlare-CPanel/blob/master/cloudflare/bin/cfadmin
https://github.com/cloudflare/CloudFlare-CPanel/blob/master/cloudflare/bin/cfadmin.conf

 

[higherlogic]

Ah, thank you for that CloudFlare example. I never would have gotten it without that. No more errors, only a notice that I'm using the legacy adminbin, which is perfect:

cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin

Looking forward to the new docs as well. Thanks again!

 

[cPanelNick]

Ah, thank you for that CloudFlare example. I never would have gotten it without that. No more errors, only a notice that I'm using the legacy adminbin, which is perfect:

cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/fooadmin

Looking forward to the new docs as well. Thanks again!

Also if you have ULC/bin/foowrap, you should be able to delete it under 11.38.

 

[higherlogic]

Yup, removed it from the bin directory and everything works. Good to know, thanks again, Nick.

 

[RuthB.]

The new docs on privilege escalation are now available! We've posted them at Privilege Escalation with cPanel API Calls.

Do let us know if you have any questions or feedback on it!

-Ruth Bavousett
Integration Developer
cPanel, Inc.

 

[tizoo]

Hi Ruth,

We have a wrapper that was working with cPanel 11.36. We have rewritten it for cPanel 11.38. As we understant, it was a big simplification as we now just have 2 files :

/usr/local/cpanel/bin/admin/TZBM/tzbmadmin
/usr/local/cpanel/bin/admin/TZBM/tzbmadmin.conf

And we have removed the both files that was in */usr/local/cpanel/admin* before.

What is the right way to call it from PHP ?

If we do the same call as before :

$param['server'] = 'elara.tizoo.com';
$res = $this->cpanel->api2('TZBM', 'getserverparam', $param);

We got the following error in the logs :

[2013-10-21 19:17:31 +0200] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]: set error in context tzbm: statusmsg=[No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]] at /usr/local/cpanel/Cpanel/Wrap.pm line 128
	Cpanel::Wrap::send_cpwrapd_request('namespace', 'Cpanel', 'module', 'tzbm', 'function', 'GETSERVERPARAM', 'data', 'elara.tizoo.com', 'action', 'fetch', 'env', HASH(0x2dd5e80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 214
	Cpanel::AdminBin::_adminfetch('module', 'tzbm', 'function', 'GETSERVERPARAM', 'format', 'storable', 'cache_check_files', '', 'cache', 0, 'args', ARRAY(0x209be80)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 139
	Cpanel::AdminBin::adminfetchnocache('tzbm', '', 'GETSERVERPARAM', 'storable', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/TZBM.pm line 7
	Cpanel::TZBM::api2_getserverparam('server', 'elara.tizoo.com') called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
	eval {...} called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 110
	Cpanel::Api2::Exec::api2_exec('TZBM', 'getserverparam', HASH(0x2dd49e0), HASH(0x2ddc450)) called at cpanel line 1302
	main::docpanelaction('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 4167
	main::dotag_finished_headers(0) called at cpanel line 3901
	main::cpanel_parseblock('<cpanelaction>\x0A{"module":"TZBM","reqtype":"exec","func":"getserverparam","apiversion":"2","args":{"server":"elara.tizoo.com"}}\x0A</cpanelaction>') called at cpanel line 5211
	main::run_standard_mode() called at cpanel line 767
[2013-10-21 19:17:31 +0200] warn [TZBM::getserverparam] Encountered error in TZBM::getserverparam: No adminbin found for cpanel_root=[/usr/local/cpanel] namespace=[Cpanel] module=[tzbm] function=[GETSERVERPARAM]

It seems that we are making our request in the *Cpanel* namespace instead of the *TZBM*.

Do you have some tips on what could be buggy in our call ?

Thanks a lot in adv

 

[tizoo]

Hi again,

We saw in the log that our call try to access the old module */usr/local/cpanel/Cpanel/TZBM.pm*. And we removed it but this just make more errors like :

[2013-10-21 20:20:41 +0200] warn [cpanel] Error loading module TZBM - Can't locate Cpanel/TZBM.pm in @INC ([...]

We also tried to call it this way :

$param['namespace'] = 'TZBM';
$param['module'] = 'tzbmadmin';
$param['function'] = 'getserverparam';
$param['data'] = 'elara.tizoo.com';
$res = $this->cpanel->api2('Wrap', 'send_cpwrapd_request', $param);

And the response is something like :

Could not find function 'send_cpwrapd_request' in module 'Wrap'

But nothing more is written in the log file.

Could you have some additionnal information or links where we can find how to use the wrap framework and call it from PHP ?

Thanks in avance for any tips.

Sincerely yours,

Philippe

 

[tizoo]

Hi all,

In fact it seems that it is not possible to make the same call with PHP as the documentation tell how to make it with Perl.

We finally stay with the old way that generate the following error for each call :

error_log:cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/tzbmadmin

Cheers,
Philippe