Privilege Escalation in UAPI function called by cPanel Interface

pwells

Member
Apr 28, 2015
13
1
3
Australia
cPanel Access Level
Root Administrator
Hi.

I am attempting to create a new cPanel (Paper Lantern) interface which runs a shell script as root.

The process that I am attempting to use for this is as follows:
  1. Define interface and call custom UAPI function.
  2. Build custom UAPI function which calls the Cpanel::AdminBin::Call::call method to escalate privileges.
  3. Build a custom admin callable module which runs the shell script.
I have developed test code for each of these sections, however have run in to a problem while running the Cpanel::AdminBin::Call::call method. Specifically, I receive the following error:
Code:
The administrative request failed because of an error (EKEYEXPIRED/127) with output: The adminbin “WbAdmin” in the “WbAdminModule” namespace call to function “ECHO” ended prematurely: The subprocess reported error number 127 when it ended.
Below are each of the relevant code segments (note: these have been somewhat simplified).

cPanel interface (755 /usr/local/cpanel/base/frontend/paper_lantern/test-module/test-module.live.php):
PHP:
<?php
include("/usr/local/cpanel/php/cpanel.php");  // Instantiate the CPANEL object.
$cpanel = new CPANEL();                       // Connect to cPanel - only do this once.
print $cpanel->header( "test" );              // Add the header.

$test_output = $cpanel->uapi(
    'WbTestModule',
    'testfunction',
    array(
        'foo'    => 'bar',
    )
);

echo '<pre>';
var_dump( $test_output );
echo '</pre>';

print $cpanel->footer();                      // Add the footer.
$cpanel->end();                               // Disconnect from cPanel - only do this once.
?>
cPanel module (644 /usr/local/cpanel/Cpanel/API/WbTestModule.pm)
Code:
package Cpanel::API::WbTestModule;

use strict;

use Data::Dumper ();
use Cpanel::AdminBin::Call ();

our $VERSION = '1.0';

sub testfunction{

    # siphon off the input args into a hash
    my ( $args, $result ) = @_;
    my ( $arg1 ) = $args->get( 'foo' );
 
    my $val;
    
    $val = Cpanel::AdminBin::Call::call(
            'WbAdminModule',
            'WbAdmin',
            'ECHO',
            $arg1,
    );
    
    my $err = [email protected];
    
    my $data = {
        'err'    => $err,
        'val'    => ref($val) ? Data::Dumper::Dumper($val) : $val,
    };
    
    $result->data( $data );

    return 1;
}

1;
Privileged callable module (700 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule)
Code:
#!/usr/local/cpanel/3rdparty/bin/perl
 
package WbAdminModule::WbAdmin;
 
use strict;
 
use parent qw( Cpanel::AdminBin::Script::Call );
 
__PACKAGE__->run() if !caller;
 
sub _actions {
    return qw(
        ECHO
    );
}

sub ECHO {
    my ($self, $string) = @_;
    return $string;
}
 
1;
Note that I do have a WbAdminModule.conf file, created by running:
Code:
echo mode=full > /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
What am I missing here?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Note that I do have a WbAdminModule.conf file, created by running:
Hello,

Could you verify the permissions and ownership values configured on the WbAdminModule.conf file? Also, does it make a different if you adjust it's contents to resemble the following code? EX:

Code:
mode=full
allowed_parents=/usr/local/cpanel/cpanel
Thank you.
 

pwells

Member
Apr 28, 2015
13
1
3
Australia
cPanel Access Level
Root Administrator
Permissions of the conf file were 644 and owned by root:root

Code:
-rw-r--r-- 1 root root 51 Feb 27 08:57 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
I have tried updating the contents to:
Code:
mode=full
allowed_parents=/usr/local/cpanel/cpanel
This has had no effect.

I also tried updating permissions to 700, 770, 777, 600, 660 - none of these worked.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

You are welcome to open a support ticket using the link in my signature so we can take a closer look and verify the functionality is working as intented. We can't troubleshoot the custom code itself, but we should be able to take a general look to see if there are any obvious mistakes in your implementation.

Additionally, you can also send end an email to [email protected] to seek out additional feedback from our Developers.

Thank you.