Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: cPanel/WHM demo account problems

from [Beau Henderson] Network Security [Permanent Link]
Subject: Re: cPanel/WHM demo account problems
Date: Fri, 1 Apr 2005 08:44:22 +1000 
Next time, try submitting to security@cpanel.net or any of the contact
addresses ( even phone ) on the web site.. there are by the way, other
contact details on the web site, next time, at least look.

( I've passed this along to the above email address, incase you have
issues doing so yourself ).

On Wed, 30 Mar 2005 23:33:30 +0100, Richard Stanway
<bugtraq@secur1ty.net> wrote:

Background
----------
cPanel & WebHost Manager (WHM) is a next generation web hosting control
panel system. Both cPanel & WHM are extremely feature rich as well as
include an easy to use web based interface (GUI). The cPanel demo account
feature creates a restricted username/password to the cPanel web interface
which the reseller often then provides on their web site, inviting potential
customers to try out the cPanel interface. Most of the cPanel interface is
disabled in the demo mode to prevent anonymous users from uploading
potentially dangerous content or otherwise causing a problem.

Problem
-------
Since the cPanel demo user is created a real local user, shell access
through SSH is possible. The demo account however is restricted by using a
shell that displays a message indicating that the SSH is disabled and not
allowing any commands to be used. It is possible to set up SSH port
forwarding and login without invoking the shell, essentially giving
anonymous users the ability to harness the server for proxying to local and
remote destinations, bypassing IP based authentication to localhost (some
SMTP servers regard 127.0.0.1 as authenticated for example) and other likely
malicious actions.

It is very likely the same problem also applies to local users who have not
been granted explicit shell access, although the impact is slightly lessened
as one might expect local users are not out to abuse their own shared web
hosting server.

Exploit
-------
Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to
it using the provided username and password and set up some port forwarding.

Solution
--------
Turn off the demo account feature and delete any demo accounts. As an
additional measure, turn off SSH port forwarding or specify explicitly which
users are allowed SSH access in the sshd config, do not rely on a restricted
shell to prevent users from being able to use other SSH features. I'd never
recommend anyone use the cPanel/WHM demo account feature at all, they are
both very risky. Even the WHM demo hosted on cPanel's own server allowed
remote root at one point in time.

A note to vendors: please make it easy to report bugs. cPanel had a nice
anonymous bug reporting form and status checking system last time I reported
a bug, now it is replaced with BugZilla which requires spending time
registering which personally I'm not going to be bothered with for reporting
one bug.

Richard Stanway
http://www.r1ch.net/

Technical articles: http://shsc.info/





-- 
Beau Henderson
http://www.ImInteractive.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: eBay Account Phishing with eBay Redirect - Ebay fixed this + related XSS hole, Rager, Anton (Anton)
Next by Date:  (PAPER) "Vision of danger: The Firefox Greasemonkey", Piotr Bania
Previous by Thread:  cPanel/WHM demo account problems, Richard Stanway
Next by Thread:  Vendor Response to Portculis Advisory 05-002: Spectrum Cash Receipting System, Paul J Docherty
Indexes:  [Date] [Thread] [Top] [All Lists]