Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Privilege Escalation in UAPI function called by cPanel Interface

Discussion in 'cPanel Developers' started by pwells, Feb 22, 2018.

Tags:
  1. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hi.

    I am attempting to create a new cPanel (Paper Lantern) interface which runs a shell script as root.

    The process that I am attempting to use for this is as follows:
    1. Define interface and call custom UAPI function.
    2. Build custom UAPI function which calls the Cpanel::AdminBin::Call::call method to escalate privileges.
    3. Build a custom admin callable module which runs the shell script.
    I have developed test code for each of these sections, however have run in to a problem while running the Cpanel::AdminBin::Call::call method. Specifically, I receive the following error:
    Code:
    The administrative request failed because of an error (EKEYEXPIRED/127) with output: The adminbin “WbAdmin” in the “WbAdminModule” namespace call to function “ECHO” ended prematurely: The subprocess reported error number 127 when it ended.
    Below are each of the relevant code segments (note: these have been somewhat simplified).

    cPanel interface (755 /usr/local/cpanel/base/frontend/paper_lantern/test-module/test-module.live.php):
    PHP:
    <?php
    include("/usr/local/cpanel/php/cpanel.php");  // Instantiate the CPANEL object.
    $cpanel = new CPANEL();                       // Connect to cPanel - only do this once.
    print $cpanel->header"test" );              // Add the header.

    $test_output $cpanel->uapi(
        
    'WbTestModule',
        
    'testfunction',
        array(
            
    'foo'    => 'bar',
        )
    );

    echo 
    '<pre>';
    var_dump$test_output );
    echo 
    '</pre>';

    print 
    $cpanel->footer();                      // Add the footer.
    $cpanel->end();                               // Disconnect from cPanel - only do this once.
    ?>
    cPanel module (644 /usr/local/cpanel/Cpanel/API/WbTestModule.pm)
    Code:
    package Cpanel::API::WbTestModule;
    
    use strict;
    
    use Data::Dumper ();
    use Cpanel::AdminBin::Call ();
    
    our $VERSION = '1.0';
    
    sub testfunction{
    
        # siphon off the input args into a hash
        my ( $args, $result ) = @_;
        my ( $arg1 ) = $args->get( 'foo' );
     
        my $val;
        
        $val = Cpanel::AdminBin::Call::call(
                'WbAdminModule',
                'WbAdmin',
                'ECHO',
                $arg1,
        );
        
        my $err = $@;
        
        my $data = {
            'err'    => $err,
            'val'    => ref($val) ? Data::Dumper::Dumper($val) : $val,
        };
        
        $result->data( $data );
    
        return 1;
    }
    
    1;
    Privileged callable module (700 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule)
    Code:
    #!/usr/local/cpanel/3rdparty/bin/perl
     
    package WbAdminModule::WbAdmin;
     
    use strict;
     
    use parent qw( Cpanel::AdminBin::Script::Call );
     
    __PACKAGE__->run() if !caller;
     
    sub _actions {
        return qw(
            ECHO
        );
    }
    
    sub ECHO {
        my ($self, $string) = @_;
        return $string;
    }
     
    1;
    Note that I do have a WbAdminModule.conf file, created by running:
    Code:
    echo mode=full > /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
    What am I missing here?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,182
    Likes Received:
    1,756
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify the permissions and ownership values configured on the WbAdminModule.conf file? Also, does it make a different if you adjust it's contents to resemble the following code? EX:

    Code:
    mode=full
    allowed_parents=/usr/local/cpanel/cpanel
    Thank you.
     
  3. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Permissions of the conf file were 644 and owned by root:root

    Code:
    -rw-r--r-- 1 root root 51 Feb 27 08:57 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
    I have tried updating the contents to:
    Code:
    mode=full
    allowed_parents=/usr/local/cpanel/cpanel
    This has had no effect.

    I also tried updating permissions to 700, 770, 777, 600, 660 - none of these worked.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,182
    Likes Received:
    1,756
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You are welcome to open a support ticket using the link in my signature so we can take a closer look and verify the functionality is working as intented. We can't troubleshoot the custom code itself, but we should be able to take a general look to see if there are any obvious mistakes in your implementation.

    Additionally, you can also send end an email to integration@cpanel.net to seek out additional feedback from our Developers.

    Thank you.
     
Loading...

Share This Page