MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day

ASTRAPI

Well-Known Member
Jul 8, 2008
321
0
66
How can i protect from this new exploit?

MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day

Code:
1) Advisory information
 
  Title               :  Cpanel  PHP Restriction Bypass Vulnerability
  Version             : <= 11.25
  Discovery           : http://www.abysssec.com
  Vendor              :  http://www.cpanel.net
  Impact              :  Ciritical
   Contact            :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             : @abysssec
 
2) Vulnerability Information
 
Class
        1- Restriction Bypass Vulnerability
Impact
Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.It can help attacker to bypass restriction such as mod_security , Safemod and disable functions.
Remotely Exploitable
No
Locally Exploitable
Yes
 
3) Vulnerability details
 
1- Restriction Bypass Vulnerabilities:
 
Load All file with this structures :
[Domain | Filename ]
from :
/home/[user directory name/.fantasticodata/[Script name folder] and include all file.
 
Example [folder] :
/home/test/.fantasticodata/Joomla_1.5/
then include this file  :
test.com|file1
 
After you created your malicious file in that style you can browse this page:
http://test.com:2082/frontend/x3/fantastico/autoinstallhome.php?app=Joomla_1.5
 
 
Now your PHP code will execute without /safe_mode/Disable_function/ Mod_security due to cpanel php.ini must be run with execute permission.
 
Vulnerable code located in in  /usr/local/cpanel/3rdparty/fantastico/autoinstallhome.php :
Line 529 :
  function Show_Notice ( $Script , $Version_Numbers )
    {
        $Home_Directory = $GLOBALS['enc_cpanel_homedir'] ;
        if ( substr ( $Home_Directory , -1 ) != '/' )
        {
            $Home_Directory = $Home_Directory . '/' ;
        }
        $Files = Array ( ) ;
[This Place]   --->     $Directory = $Home_Directory . '.fantasticodata/' . $Script . '/' ;
        $Files = Get_Files ( $Directory ) ;
        if ( !empty ( $Files ) AND is_array ( $Files ) )
        {
            $Temporary = natcasesort ( $Files ) ;
        }
        foreach ( $Files As $File )
        {
            $Name    = '' ;
            $Path    = '' ;
            if ( strstr ( $File , "|" ) )
            {
                $Name = explode ( "|" , $File ) ;
                $Name = $Name[1] ;
            }
            else
            {
                $Name = $File ;
            }
            /* Debugging */ // echo $Directory . $File . '<br/>' ;
            if ( is_file ( $Directory . $File ) )
            {
                include $Directory . $File ;
                if ( !empty ( $thisscriptpath ) )
                {
                    $Path = $thisscriptpath ;
                }
                else
                {
                    $Path = $Home_Directory . 'public_html/' . $Name . '/' ;
                }
                if ( substr ( $Path , -1 ) != '/' )
                {
                    $Path = $Path . '/' ;
                }
                /* Debugging */ // echo $Path . 'fantversion.php<br/><br/>' ;
                if ( is_file ( $Path . 'fantversion.php' ) )
                {
                    include $Path . 'fantversion.php' ;
                    if ( !empty ( $version ) )
                    {
                        if ( in_array ( $version , $Version_Numbers ) )
                        {
                            return 'Yes' ;
                        }
                    }
                }
            }
        }
        return 'No' ;
    }
 

konrath

Well-Known Member
May 3, 2005
366
1
166
Brasil
Hello

This insecurity is in CPANEL or FANTASTICO?


Thank you
Konrath
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
Thank you for your inquiry regarding the "MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day". Our Quality Assurance Team discovered the report shortly after its release. The report was immediately and thoroughly investigated to the satisfaction of our Development team.

The report concerns the 3rd party software system Fantastico, used to extend the functionality of our product. cPanel Inc. has no control over this 3rd party product and cannot alter or disable the product.

Furthermore, the severity of this report is relatively minor. The stated issue does not offer any type of privilege escalation or access to data or files not normally available through a variety of other means. All code execution through the cPanel interface, regardless of its source, will run with the privileges of the authenticated user. The operating system limits the security impact of processes running as an unprivileged user through file system privileges and other mechanisms. While the report is accurate, it exaggerates the security implications of a trivial issue.
 

Davetha

Member
PartnerNOC
Jun 6, 2006
9
0
151
We notified Netenberg about this security hole back in late June / early July. They neglected to make the changes to their code which resulted in someone finding a way to exploit Fantastico.

Another very important issue that wasn't released in the exploit, but can be used in conjunction with the exploit, is that the attacker can read all of the database configuration files, and exploit all of the accounts within minutes. (Another security issue)
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Another very important issue that wasn't released in the exploit, but can be used in conjunction with the exploit, is that the attacker can read all of the database configuration files, and exploit all of the accounts within minutes. (Another security issue)
That's a result of running without suphp (or phpsuexec etc). It's always trivial to read every php file on the server and steal passwords as everyone's PHP code runs as the same user. You need suphp to have any chance of running a secure server, it's just a basic requirement. I'm not implying it's instant security, but it's a required component IMHO.
 

Davetha

Member
PartnerNOC
Jun 6, 2006
9
0
151
That's a result of running without suphp (or phpsuexec etc). It's always trivial to read every php file on the server and steal passwords as everyone's PHP code runs as the same user. You need suphp to have any chance of running a secure server, it's just a basic requirement. I'm not implying it's instant security, but it's a required component IMHO.
Not true, you can still do this even with SuPHP/PHPSuEXEC/FastCGI etc.. running.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Not true, you can still do this even with SuPHP/PHPSuEXEC/FastCGI etc.. running.
Yes, but as it's not a root exploit, you can't see the files as you don't have permission to view them with suphp and family enabled - the unix file permissions stop that.

If it is a root exploit, then that's a different ball game, of course.