world-readable wp-config.php and configuration.php files (SuPHP)

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
hi there

Fantastico appears to leave these files 644 on installation which allows any server user to obtain the database user password and plunder the application. Quite often the password is the Cpanel password which permits a full account rape. I don't know if these files have the universe read bits set following a standard Cpanel install using the "Software" section?

Anyone any ideas on how to change the install so it chmods these 600 or 700 ?

I am running Suphp so 600 or 700 work fine.

Best
Dude
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
How does 'any server user' get to and read this files contents? The database password is auto generated by Fantastico, I've never noticed it being the same as the cPanel password.

I'm assuming you have the PHPsuexec option set to installed in Fantastico settings?
 

JeffP.

Well-Known Member
Sep 28, 2010
164
15
68
Fantastico appears to leave these files 644 on installation which allows any server user to obtain the database user password and plunder the application
The permissions on a user's public_html/ directory when using suphp should be 0750, user:nobody. This prevents any server user from wandering into other users' public_html/ directories and viewing world readable files. This is the default behavior when using suphp with cPanel. That's not to say that other attacks may not be possible, or that having a file world readable when it doesn't need to be is a good idea. I just wanted to clarify the permissions structure.
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
Thanks Jeff. I initially thought it was a vulnerability due to finding folders on hacked accounts full of tens of thousands of these entries:

lrwxrwxrwx 1 simo5953 simo5953 43 Jul 9 10:37 zoec89994.txt -> /home/zoec8999/public_html/admin/config.php
lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89995.txt -> /home/zoec8999/public_html/admin/conf.php
lrwxrwxrwx 1 simo5953 simo5953 42 Jul 9 10:37 zoec89996.txt -> /home/zoec8999/public_html/conf_global.php
lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89997.txt -> /home/zoec8999/public_html/include/db.php
lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89998.txt -> /home/zoec8999/public_html/connect.php
lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89999.txt -> /home/zoec8999/public_html/mk_conf.php
lrwxrwxrwx 1 simo5953 simo5953 49 Jul 9 10:37 zoec8999.txt -> /home/zoec8999/public_html/vb/includes/config.php

As you can see, they are "guesses" at locations of config files. This is presumably a powerful attack on servers running without SuPHP, but I agree, the links don't seem to benefit a hacker on a SuPHP server.

I am still left with tens of Wordpress accounts hacked and only a handful of C99 type shells and mailers left in the hacker's wake. The Wordpress versions are 3.1.2 and 3.2 and the index pages modified tend to be in the themes folders. I don't think there's a general vulnerability in Wordpress or the themes, but we do run Fantastico and I note that vulnerabilites exist for that.

Once a hacker has accessed one account and has gleaned all the Cpanel usernames (a simple task), what's to stop a scripted brute force attack from localhost on pop3 or ftp?

Dude
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
How does one glean all cPanel usernames from one account?

Wordpress on a non SuPHP server presumably has directories that are owned by nobody, correct? The wordpress owner uploads a theme or mod via the wp-admin and that php upload process changes the owner of the files and any directories the upload may create. We don't want nobody owning anything inside public_html.

Do you by chance use CXS? ConfigServer eXploit Scanner (cxs)
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
I was using a shell the hackers left behind. There was a function called "list Cpanel users" or similar. I pressed the button and hey presto, a full list of users was presented.

The box is not rooted. However I have a strong suspicion it is vulnerable to the Fantastico LFI vulnerability. If you like, I can probably find the shell and post it somewhere for you.

Best
Dude
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
No thanks, I've seen my share. I would not suggest you do something like that unless you're sure of what you're doing.

It sounds like you do of course, I just want to mention here that hidden in those sorts of scripts may be lines of code that contain an email address to send details to. You might not see it if it's encoded but it can happen I would think.

To check those sorts of scripts out closer should be done on a test server behind a firewall locked down tight.
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
hi there, I should point out I'm just browsing the shells using a web browser without any escalated priviliges. The hacked accounts are riddled with them and the access logs show the hackers using them. Whatever I'm doing, they can do also.

Do you have any more info re. the Fantastico LFI vulnerability? I am looking for a clear script or method to check for it but the links so far provide a general concept. Specifically, when I visit http://test.com:2082/fantasticopath/.... etc I'm just presented with a Cpanel login. Does the file inclusion still operate despite not entering valid Cpanel credentials?

Also has Fantastico patched for this yet?

Best
Dude
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
No, I have since determined the hack is via symbolic link.

All it takes is one account to be hacked, eg fred.com. Hacker then creates a symbolic link to "/" such as 1.txt --> "/"
He can then browse using a web browser http://test.com/1.txt/home/user/public_html/

where "user" is any Cpanel account. Usernames are easily obtainable via http://test.com/1.txt/home/ and also via /etc/passwd which is world-readable. Permissions are:

/ - 755 - root.root
/home - 755 - root.root
/home/user - 711 - user.user
/home/user/public_html - 750 - user.nobody

This would not be a problem if all users' sensitive files were chmod 600. But on this server, Fantastico creates new WP installs using 644. Therefore all Wordpress installs can be plundered.

I have scripted a chmod 600 on all wp-config.php which should help and am now doing Joomla (configuration.php)

This is a SuPHP server.

Best
Dude
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
Tristan, this is not a Fantastico issue as far as I can see. It is a linux file system vulnerability (we use Centos; not sure about any other OS?). I am liaising with your Dave Lanning presently. The only workaround I can envisage is to put a wrapper around "ln" and chmod 600 all database config files in user areas on the server. Then perhaps put in a place a cron to fix any configs the user changes.

This is of concern for CPanel if any apps in the "Software" section set the universal read bit by default on database config files.

Best
Dude
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,606
33
238
somewhere over the rainbow
cPanel Access Level
Root Administrator
You had mentioned the following:

But on this server, Fantastico creates new WP installs using 644.
Even if we do fix the Software installs we perform in that sections for such scripts, this will not fix how Fantastico installs scripts for that 3rd party application. It isn't just a cPanel issue. It is an issue for any software automated to install with the permissions you've mentioned. If you want it fixed in Fantastico, then makers of Fantastico would need to be informed of your concerns.
 

abrakadabra

Member
Dec 14, 2010
11
0
51
No, I have since determined the hack is via symbolic link.

All it takes is one account to be hacked, eg fred.com. Hacker then creates a symbolic link to "/" such as 1.txt --> "/"
He can then browse using a web browser http://test.com/1.txt/home/user/public_html/

where "user" is any Cpanel account. Usernames are easily obtainable via http://test.com/1.txt/home/ and also via /etc/passwd which is world-readable. Permissions are:

/ - 755 - root.root
/home - 755 - root.root
/home/user - 711 - user.user
/home/user/public_html - 750 - user.nobody

This would not be a problem if all users' sensitive files were chmod 600. But on this server, Fantastico creates new WP installs using 644. Therefore all Wordpress installs can be plundered.

I have scripted a chmod 600 on all wp-config.php which should help and am now doing Joomla (configuration.php)

This is a SuPHP server.

Best
Dude
Even though files are accessible by httpd through symlink, you can't see contents of script files (.php, etc..) from httpd, as they would only execute. You would need to use your php or cgi scripts with some file reading code in order to read contents of these files, however if you are running suPHP and suEXEC, you won't be able to read others files, no matter what permissions they are, since you cannot go through others public_html directory (750 user:nobody), as you ain't "user" nor "nobody" when you execute your scripts from your account/directory with suPHP or suEXEC in case of cgi.

/home should be 711 root:root, if you are running suPHP.

So, i don't see how others wp-config.php even with permissions of 777 is exploitable when using suPHP and suExec.
 

jimhermann

Well-Known Member
Jan 20, 2008
65
2
58
Even though files are accessible by httpd through symlink, you can't see contents of script files (.php, etc..) from httpd, as they would only execute. You would need to use your php or cgi scripts with some file reading code in order to read contents of these files, however if you are running suPHP and suEXEC, you won't be able to read others files, no matter what permissions they are, since you cannot go through others public_html directory (750 user:nobody), as you ain't "user" nor "nobody" when you execute your scripts from your account/directory with suPHP or suEXEC in case of cgi.

/home should be 711 root:root, if you are running suPHP.

So, i don't see how others wp-config.php even with permissions of 777 is exploitable when using suPHP and suExec.
abrakadabra,

SuPHP and SuExec do not appear to stop this exploit. They have used a .htaccess file to make the contents of the symlinked .php files viewable.

Jim
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
6
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Jim,

That's a 12 month old thread that you've resurrected, very out of date now.

The more recent discussion is at: http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p6.html
With a patch at: http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p2.html#post996441
and also read the last few pages of the thread for discussion about permissions.

The exploit links another account's config file in to the attacker's account with a .txt extension, so they don't actually need to change .htaccess at all to be able to see the contents.

Theoretically, installatron and fantastico should also change permissions on their wp-config.php files etc, but they don't, or didn't last time I looked.

This bug has been characterized by everyone passing the buck and refusing to fix it, cPanel included. At the end of the day thousands of servers are getting hacked here because of inaction from all the players concerned. Surprisingly, there are major hosts that still don't understand how to fix this (apply the patch, go through all .php files and make them mode 600. assuming you are running under suphp).
 

InstallatronPhil

Member
Verifed Vendor
Jul 2, 2003
11
0
151
Theoretically, installatron and fantastico should also change permissions on their wp-config.php files etc, but they don't, or didn't last time I looked.
Hello,

Phil from the Installatron team here.

Recent versions of Installatron do actually set chmod 0600 or 0400 (depending on what the app wants) on the app config file (under SuPHP-enabled web servers only, of course). As installations are upgraded through Installatron they will also pick up these permissions.

Thank you,
Phil