Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    13
    Trophy Points:
    68
    It would only prevent all non-root users from using the /bin/ln utility, which would not stop anyone from creating symlinks.

    symlink functionality comes from the kernel. The "ln" utility simply provides 1 way amongst many to utilize this functionality. Links between files can also be created by using the "link" command (for hard links), or by using any of the readily available interpreters on the server such as perl, php, python, ruby, or by uploading your own application (or a version of "ln" that is either statically linked, or compiled on a system with that contains the same set of libraries), etc.

    Changing the permissions of a file provided by the operating system won't prevent the use of functionality that inherently comes from the kernel, and can end up doing more harm than good.
     
  2. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Okay - so it sounds like you are recommending against this course of action.

    Moreover, the ways these site hacks are occurring is that the hacker uploads an entire directory of content with all files already in place. So, the symlink is part of the package that is being uploaded. Thus, wouldn't this measure fail to prevent that scenario?

    Thanks.

    mrk
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    13
    Trophy Points:
    68

    You are correct; that's another way as well. Good point!
     
  4. activa

    activa Well-Known Member

    Joined:
    May 23, 2006
    Messages:
    207
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Morocco
    cPanel Access Level:
    Root Administrator
    this behavior has been tested and is confirmed !!!!!!

    when attacker upload a custom sylink to the root folder , he can view and browse all the server files !!!

    i have changed the permission of the ln to 760 , with no result , the same .

    i have added a custom directive in httpd config with the fallowing

    Code:
    <Directory "/home/*/public_html">
        Options -ExecCGI
        AllowOverride AuthConfig Indexes Limit FileInfo options=IncludesNOEXEC,Indexes,Includes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks
    </Directory>
    he can view the files . any other solution for this case ?
     
  5. hackboys

    hackboys Active Member

    Joined:
    Feb 12, 2008
    Messages:
    31
    Likes Received:
    2
    Trophy Points:
    58
    Solution for this case.

    /usr/local/apache/conf/httpd.conf

    Code:
    <Directory "/">
        Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
    
    </Directory>
    
    
    <Directory "/home">
        Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
        AllowOverride AuthConfig Indexes Limit Fileinfo
    </Directory>
    
    <Directory "/home2">
        Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
        AllowOverride AuthConfig Indexes Limit Fileinfo
    </Directory>
    
     
  6. expssh

    expssh Registered

    Joined:
    Aug 5, 2011
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    53
    Let me show you which method "Hacker..." uses to get source of the config files of you'r web-site for example wp-config.php and I will show you how to prevent this.

    1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
    2) Then he open File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
    #.htaccess file source
    Options Indexes FollowSymLinks
    DirectoryIndex doesnt-metter.htm
    AddType txt .php
    AddHandler txt .php

    #End of .htaccess file
    3) Then he creates symbalic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory "/" typing: "ln -s / topdir"
    4) After that, he open browser and typing http://server-ip/~his-home-dir/topdir/home/some-user/public_html/wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.
    -------------------------------------------------------------------------------------------------------
    Solution:
    1) Open you'r php.conf with you'r favorite editor: nano /usr/local/apache/conf/php.conf
    2) Commit: #AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
    3) Add these lines:
    <FilesMatch "\.ph(p[2-6]?|tml)$"> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
    SetHandler application/x-httpd-php5
    </FilesMatch>

    4) Save you'r changes and close php.conf
    5) Restart httpd server typing: /etc/init.d/httpd restart
    6) Done ;)
     
    #26 expssh, Aug 5, 2011
    Last edited: Aug 5, 2011
    postcd likes this.
  7. thevali

    thevali Member

    Joined:
    Aug 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    51
    The only working workaround is the one of hackboys...and this is bringing a lot of overhead to fix the issues for joomla sites and any other site using +FollowSymLinks

    the solution given by expssh is not complete. One could create(or upload) a symbolic link like:
    "ln -s /home/someuser/public_html/wp-config.php a.txt" and he will open a browser to a.txt which will show him the wp-config.php content
     
  8. nevohosting

    nevohosting Registered

    Joined:
    Aug 10, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Can I customize cPanel so that all new files created with rights 640? When unpacking archives, too.
    In this case, the scripts will work, but will not be available for reading.
     
  9. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    Can cPanel support provide a solution for this case or validate the solutions in this post? Thanks.

    In WHM Apache Global Configuration, which options should I use or not use to prevent this symbolic hacking?

    Directory “/” Options [?]

    ExecCGI default
    FollowSymLinks default
    Includes
    IncludesNOEXEC default
    Indexes default
    MultiViews
    SymLinksIfOwnerMatch default
     
    #29 garconcn, Aug 17, 2011
    Last edited: Aug 17, 2011
  10. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    13
    Trophy Points:
    68
    As noted earlier in this thread by cpanelkenneth in his post here, there is no complete solution for this in Apache's software. You can disable (uncheck) the "FollowSymLinks" option if you'd like, as well as "SymLinksIfOwnerMatch". You must then also disallow users from using Overrides, since they could simply use .htaccess to reenable those things. If you disallow Overrides, customers who rely on .htaccess files may not be very happy. Even then, per cpanelkenneth's post, ths is not a complete security measure, as the Apache webserver still does not attempt to prevent race condition attacks with symlinks.

    So, if you're looking for a solution, your best bet would be to contact the vendor of the software that contains the issue. Their website is here.
     
  11. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    991
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator

    wow, this is a super 1337 hack!


    No offence though but you're not really showing any hacking skills with this.

    1. Since the user logged into cPane l he already had access to the wp-config.php file, without having to create an symlink to it.
    2) The user created a symlink to a file which he owned - he's supposed todo that, he has the permissions todo it.


    It's your own (or your client's) fault for using insecure cPanel passwords.

    Use MORE secure passwords for EVERYTHING. And don't EVER use the same password for everything.
    Enable suPHP and install + configure mod_security
    Use something like cPanel's Brute Force Protection, CSF, any other firewall to block users who try and brute-force attack any account.
    Configure your server to enforce secure passwords, at least at level70 or so.
     
  12. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    This isn't anything to do with insecure cPanel passwords, rather the way that Apache deals with symlinks (FollowSymLinks doesn't do any owner checks). In the example that expssh provided, the symlink was created to point to / (the drive root) rather than his own home directory. From there he uses the symlink to navigate into *someone elses* home directory to read their wp-config.php
     
  13. cwalke32477

    cwalke32477 Well-Known Member

    Joined:
    Mar 2, 2010
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    Atlanta, Georgia
    cPanel Access Level:
    Root Administrator
    What about Mod_Security?
    Could there be any rules written to prevent this from happening?
     
    #33 cwalke32477, Oct 11, 2011
    Last edited: Oct 11, 2011
  14. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    What about using this:

    Code:
    chmod 711 /home
    That will prevent any access to this particular folder through SymLink.
     
  15. tquang

    tquang Member

    Joined:
    Sep 22, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Does crond backup can execute?
     
  16. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    I don't get you, Can you please clarify ?

    To be clear, Any folder has 711 permission can't be bypassed by SymLinks.
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Unfortunatey mode 711 *actually does allow* symlink access. You're thinking of mode 710 or 700, which would prevent access.
     
  18. kevinlevin

    kevinlevin Member

    Joined:
    Oct 27, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    What about making a cron that checks for "bad" symlinks in the /home directory.
    "Bad" will be defined as a symlink that not belongs to the regular cpanel symlinks and/or some other criteria .

    I know this is a workaround but .. what do you think?
     
    #38 kevinlevin, Oct 27, 2011
    Last edited: Oct 27, 2011
  19. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Too late - they will already have used the symlink to view the files they wanted, and probably deleted it, by the time you do your check.

    The real fix for this is probably to change the file permissions on your .php file to be 600 - so only the owner can read them - that prevents this hack nicely, although I'd also use the SymLinksIfOwnerMatch and -FollowSymlinks options to make it just that little bit harder.

    Also - don't chmod 760 any executable - apart from it being pointless, it's a permission that provides group write access. You probably mean 700, as there's no point in setting the read bit. 760 is actually rwxrw---- and 700 is rwx------.
     
  20. kevinlevin

    kevinlevin Member

    Joined:
    Oct 27, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    You cannot make all of your files to be 600 as that can break many web applications on the server.
    Also you can't control that users will not change the permissions of the files by themselves.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page