The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day

Discussion in 'Security' started by ASTRAPI, Sep 1, 2010.

  1. ASTRAPI

    ASTRAPI Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    How can i protect from this new exploit?

    MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day

    Code:
    1) Advisory information
     
      Title               :  Cpanel  PHP Restriction Bypass Vulnerability
      Version             : <= 11.25
      Discovery           : http://www.abysssec.com
      Vendor              :  http://www.cpanel.net
      Impact              :  Ciritical
       Contact            :  shahin [at] abysssec.com , info  [at] abysssec.com
      Twitter             : @abysssec
     
    2) Vulnerability Information
     
    Class
            1- Restriction Bypass Vulnerability
    Impact
    Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.It can help attacker to bypass restriction such as mod_security , Safemod and disable functions.
    Remotely Exploitable
    No
    Locally Exploitable
    Yes
     
    3) Vulnerability details
     
    1- Restriction Bypass Vulnerabilities:
     
    Load All file with this structures :
    [Domain | Filename ]
    from :
    /home/[user directory name/.fantasticodata/[Script name folder] and include all file.
     
    Example [folder] :
    /home/test/.fantasticodata/Joomla_1.5/
    then include this file  :
    test.com|file1
     
    After you created your malicious file in that style you can browse this page:
    http://test.com:2082/frontend/x3/fantastico/autoinstallhome.php?app=Joomla_1.5
     
     
    Now your PHP code will execute without /safe_mode/Disable_function/ Mod_security due to cpanel php.ini must be run with execute permission.
     
    Vulnerable code located in in  /usr/local/cpanel/3rdparty/fantastico/autoinstallhome.php :
    Line 529 :
      function Show_Notice ( $Script , $Version_Numbers )
        {
            $Home_Directory = $GLOBALS['enc_cpanel_homedir'] ;
            if ( substr ( $Home_Directory , -1 ) != '/' )
            {
                $Home_Directory = $Home_Directory . '/' ;
            }
            $Files = Array ( ) ;
    [This Place]   --->     $Directory = $Home_Directory . '.fantasticodata/' . $Script . '/' ;
            $Files = Get_Files ( $Directory ) ;
            if ( !empty ( $Files ) AND is_array ( $Files ) )
            {
                $Temporary = natcasesort ( $Files ) ;
            }
            foreach ( $Files As $File )
            {
                $Name    = '' ;
                $Path    = '' ;
                if ( strstr ( $File , "|" ) )
                {
                    $Name = explode ( "|" , $File ) ;
                    $Name = $Name[1] ;
                }
                else
                {
                    $Name = $File ;
                }
                /* Debugging */ // echo $Directory . $File . '<br/>' ;
                if ( is_file ( $Directory . $File ) )
                {
                    include $Directory . $File ;
                    if ( !empty ( $thisscriptpath ) )
                    {
                        $Path = $thisscriptpath ;
                    }
                    else
                    {
                        $Path = $Home_Directory . 'public_html/' . $Name . '/' ;
                    }
                    if ( substr ( $Path , -1 ) != '/' )
                    {
                        $Path = $Path . '/' ;
                    }
                    /* Debugging */ // echo $Path . 'fantversion.php<br/><br/>' ;
                    if ( is_file ( $Path . 'fantversion.php' ) )
                    {
                        include $Path . 'fantversion.php' ;
                        if ( !empty ( $version ) )
                        {
                            if ( in_array ( $version , $Version_Numbers ) )
                            {
                                return 'Yes' ;
                            }
                        }
                    }
                }
            }
            return 'No' ;
        }
     
  2. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    This insecurity is in CPANEL or FANTASTICO?


    Thank you
    Konrath
     
    #2 konrath, Sep 1, 2010
    Last edited: Sep 1, 2010
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thank you for your inquiry regarding the "MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day". Our Quality Assurance Team discovered the report shortly after its release. The report was immediately and thoroughly investigated to the satisfaction of our Development team.

    The report concerns the 3rd party software system Fantastico, used to extend the functionality of our product. cPanel Inc. has no control over this 3rd party product and cannot alter or disable the product.

    Furthermore, the severity of this report is relatively minor. The stated issue does not offer any type of privilege escalation or access to data or files not normally available through a variety of other means. All code execution through the cPanel interface, regardless of its source, will run with the privileges of the authenticated user. The operating system limits the security impact of processes running as an unprivileged user through file system privileges and other mechanisms. While the report is accurate, it exaggerates the security implications of a trivial issue.
     
  4. Davetha

    Davetha Member
    PartnerNOC

    Joined:
    Jun 6, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    We notified Netenberg about this security hole back in late June / early July. They neglected to make the changes to their code which resulted in someone finding a way to exploit Fantastico.

    Another very important issue that wasn't released in the exploit, but can be used in conjunction with the exploit, is that the attacker can read all of the database configuration files, and exploit all of the accounts within minutes. (Another security issue)
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    That's a result of running without suphp (or phpsuexec etc). It's always trivial to read every php file on the server and steal passwords as everyone's PHP code runs as the same user. You need suphp to have any chance of running a secure server, it's just a basic requirement. I'm not implying it's instant security, but it's a required component IMHO.
     
  6. Davetha

    Davetha Member
    PartnerNOC

    Joined:
    Jun 6, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Not true, you can still do this even with SuPHP/PHPSuEXEC/FastCGI etc.. running.
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Yes, but as it's not a root exploit, you can't see the files as you don't have permission to view them with suphp and family enabled - the unix file permissions stop that.

    If it is a root exploit, then that's a different ball game, of course.
     
Loading...

Share This Page