The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel bug / Get root access with root password

Discussion in 'General Discussion' started by majidnt, Aug 10, 2005.

  1. majidnt

    majidnt Well-Known Member

    Joined:
    Nov 15, 2004
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then you should have contacted cPanel through the standard channels, i.e. emailed security@cpanel.net.
     
  3. cPanelBilly

    cPanelBilly Guest

    That is correct. If you manage to guess the server owners root password you will have access to all accounts on the server. Just like if you have the servers root password you can login to root via shell.

    Sorry this is not a bug/exploit. This is how linux works.
     
  4. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    I think I understand how this could be a bug...

    Under normal operation, you would have to know that "root" has the password of "defpass" to be able to login as root. So you need to know two things - the username and the password.

    However, due to the reseller drop down box option - you only need to know/guess the password. So, for example, if your customer decides to use the password "defpass" and then logs in - the cPanel control panel will show the "Change domain" dropdown menu which will give them access to other peoples accounts and they may then attempt to try logging in as root with that password.

    Ok, if you have relatively secure passwords such as Q69x73PF or u962THK2 or 79r4KE6F (Firefox's Secure Password generator is so handy!), the chance of a user being able to guess the password you happen to be using is quite low, but it still takes away the "two items needed" standard security of Linux.

    So what can cPanel Inc do? Well, they could remove the "Reseller/WHM drop down" menu which appears on cPanel - it won't avoid the bug, but would provide no indication to a user that they have happened to set their password to the same as the root user. cPanel Inc could also remove the very handy "login as customer using reseller/root password" option and only allow access via the WHM List account option (meaning that the username+password combination comes back into force). But that's about it and it's not "that big" a security issue as long as you have relatively secure passwords IMHO (but it's still a slight issue).

    Other things cPanel could do to minimise the effectiveness of this bug: Limit the number of password changes a user could make in a set time frame (does a user really need to change their password more than twice in any 24hours?), ensure incorrect logins to control panels are logged so servers running something like BFD can pick up invalid logins and block IP addresses (we've all probably got BFD checking for invalid SSH root logins - but how about invalid cPanel/WHM logins?), add IP address restrictions to the root WHM system (even support .htaccess would be fine).
     
  5. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    If it's an issue with all accounts under reseller being visible (or for that matter root) due a Accidental/Lucky Passwd Guess, eliminating that Drop down list altogether shouldn't prove to be a handicap in terms of functional utility on the whole. Reseller (root) as it is can still go to individual accounts under them from their WHM, but at least the account owner wouldn't know that he has hit the Jackpot!

    This is if i understand what's presented in the thread.

    Thanks
    Anup
     
  6. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    If I understand correctly, the only real issue here is whether or not root or resellers use good enough passwords to not be chosen by someone else. With a 12 character password using all allowable characters, you have at least 37133262473195501387776 possibilities. 2 people should never have the same passwords.
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I guess what this winds up meaning is like this:

    with "root" you don't have to guess the username ..you know it. One posibility only. But you would have to guess the password. you have one possible "root" username that would be correct. If you can use any of the users and the root password you have that number of possible matches for the username (total on box) and the password you have only one posibility. So if someone gets on the cpanel as "joblow" and actually guesses the only root password ..he will figure out that he has the root password ..which means he can try "root" and that same (root) password elsewhere also on the box ..ssh and whatever else. Am i on the right track with what this means? So he would have to do this guessing attack against the cPanel 2082 login right?
     
  8. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    From what I see its required that you use your root or reseller account password when making an account in order for this to work. I don't think anyone in their right mind would use their root or reseller password as a customers initial password. I would think this has a low to nill chance of being exploited. If a person uses their password like that, they're just asking for it.
     
  9. shulshof

    shulshof Registered

    Joined:
    Jul 7, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1

    If my own user lets say "shulshof" has the same password as root, I do not get root access, this is not how unix works. That is my understanding of what happened. Please correct me if I am wrong. But being a "normal" user having a root password is what happened.

    The chances of this happening, almost zero. Still a bug and should be fixed (if my understanding of the problem is correct) :)


    Steve
     
  10. HH-Steven

    HH-Steven Well-Known Member

    Joined:
    Aug 29, 2004
    Messages:
    284
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    There is one other measure you can add that i dont thinks been mentioned.

    Disable direct root login

    That way the "hacker" has to enter two logins :

    wheel group user and pass
    root pass

    Now of course if this user has the root pass he can easily add himself to the wheel group via root whm but nonetheless its another measure in place.

    Another way would be to change the ssh port.

    Of course the above methods only affect ssh logins.

    It is a very, very slight chance that the user picks a password identical to the root password but its still a chance, what can be done about it? not much i think.
     
  11. HH-Steven

    HH-Steven Well-Known Member

    Joined:
    Aug 29, 2004
    Messages:
    284
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I also see where shulshof is coming from, for example:

    If a client signs up say under the login of:

    User: demoacc
    Pass: 12345678

    And say for this example the root pass is : 12345678

    when he goes to sign in at domain/cpanel using his login then he is going to be seeing a lot more then he should.

    All accounts owned by root will be selectable via the drop down list.

    Not very secure, but also not very likely to happen.
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    how is this a bug?

    If you guess the root password, you have access to everything on the box. If I guess *your* password, I've got access to everything in your account. That's just the way operating systems work.

    Perhaps the only vulnerability here is the presence of the dropdown box. Cpanel could possibly make the drop-down box a configurable option for prospective security experts who are concerned about this. Or, could possibly detect an attempt to change a password to the root password and refuse it at the time of the change, but that's about it. Actually, there probably is a useful fix here - if a user password is the same as the root password, don't assume it's root trying to log in. I guess currently that cpanel checks for a root password before checking for the user password and I'm suggesting a reversal of order in the checks.

    Really, there's no substitute for a good root password. In training sysadmins in basic security the FIRST thing we teach them is to choose good passwords. If you can't do that part, then it's nearly pointless working on any other aspect of security.

    Of course, there's the other part of this, in that cpanel and WHM don't enforce good passwords as far as I know (I don't try to set bad passwords so I wouldn't run into that restriction). That in itself would be a meaningful and helpful security enhancement. They'd want to run a dictionary check, and check for permutations of the user name. Since the admin doesn't get to control what users reset their passwords to, this would be a good move for the industry.
     
    #12 brianoz, Aug 19, 2005
    Last edited: Aug 19, 2005
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I have been talking to Nick for a few times now about working on better password strengths when cPanel is used to create a new password. It is going to be added soon where all passwords will be tested for strangth. FTP accounts are a common problem becuase they open a spot for hackers to put their web files and actually run them through apache. So added FTP, pop, mySQL are just a start for better password management tests. I can't tell you how many idiots use "password" for their password. These new measures will help prevent that. Nick told me this feature might wind up in EDGE soon.
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That feature is there in RELEASE upwards now in WHM > Tweak Settings ;)

    That's been in bugzilla for an age :)
    http://bugzilla.cpanel.net/show_bug.cgi?id=2082
     
  15. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I see that. Won't be long :)
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This would be a good, and small, change that would eliminate the security complaint entirely. That is, check for the user password first, and use it as that if it matches, regardless of whether the password matches the root password as well.
     
  17. shulshof

    shulshof Registered

    Joined:
    Jul 7, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    It is a bug


    In the example of the bug, the person was logged in as a normal user, with the normal user password, which is the same as the root and had access to other accounts. This is NOT the way operating systems work, if your normal user has the same password as root, they do not get root access. Unless of course they log in as root.


    But still you have to give this user the same password as root, and I doubt any of us would actually do that :)


    Steve
     
  18. shulshof

    shulshof Registered

    Joined:
    Jul 7, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I agree with the strong root password, make sure it's nothing simple! Actually all passwords should not be simple ever!


    IMO It comes down to a flaw in the login process!

    A user logging in as themself should not be given superuser information because his password is the the same as root!!!


    Now of course in any enviroment if they login as root/administrator/superuser and try their password they get access. But here they login and are TOLD they have the same password and given the access.

    Makes you wonder how the login system works!





    Steve
     
    #18 shulshof, Aug 24, 2005
    Last edited: Aug 24, 2005
  19. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    This exact thing happened to us last week. A reseller sent us an email telling us that he could see ever username from the dropdown list from his account.

    I checked it out and sure enough there is was. I emailed Cpanel and they told me this is a known bug in Edge and that we should downgrade to Stable. Once we downgraded to S the problem was resolved. So if your running Edge be careful! I can assure you that our reseller did not have our root password.
     
  20. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, you can simply disable this in RELEASE/CURRENT/EDGE now as I mentioned in an earlier post if you want to. though it breaks the ability to connect to the users cPanel account, which is a pain.
     
Loading...

Share This Page