cPanel TSR 2014-0001 Full Disclosure

Recently cPanel has released updates for all supported 11.42, 11.40, and 11.38. Since this release contains security updates as well, they did not provided full disclosure for the security reasons. For more information about this, please refer our cPanel TSR-2014-0001 Announcement.

Today cPanel TSR 2014-0001 full disclosure was released. Following issues were resolved in the recent update:

 [1] Arbitrary code execution as cpanel-horde user via cache file poisioning.

The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. By default these cache files were stored in the world-writable /tmp directory with predictable names. A malicious local attacker could pre-create the cache files inside /tmp, potentially leading to arbitrary code execution as the cpanel-horde user.

[2] Arbitrary file read as root during cPanel account creation for ACL limited resellers.

An ACL limited reseller could send crafted inputs to WHM’s account creation functionality to combine multiple path traversal attacks in the package extensions subsystem. This flaw would store the contents of the destination file into the new account’s cpuser file.

[3] Disclosure of root’s accesshash to ACL limited resellers via WHM xml-api.

Reseller accounts, regardless of their ACLs, were able to retrieve and alter root’s accesshash credentials via the get_remote_access_hash XML-API command by supplying empty user and password arguments.

[4] Injection of arbitrary settings into cpuser files via account creation.

The WHM /scripts5/wwwacctform interface allowed the injection of newlines into the ‘locale’ and ‘cpmod’ parameters. These injections could be used to set values in the newly created account’s cpuser file that were not permissible with a reseller’s ACL restrictions.

[5] Overwriting of trusted inputs to third party hooks scripts.

An ACL limited reseller could provide additional form inputs to WHM’s create and modify account interfaces containing null bytes in the parameter name. When these inputs were passed on to third party hook scripts though an exec() call, the additional parameters would be truncated to match parameter names that are normally anchored in trust for the third party hook scripts.
Third party hook scripts are provided the raw inputs to the functions they extend and are responsible for validating these inputs. Since null bytes do not transfer through the hook script interface correctly, any form parameter names submitted with null bytes will now result in an error.

[6] Limited arbitrary file overwrite for ACL limited resellers via domain parking.

The owner parameter to the WHM /scripts/park interface was not correctly validated. By injecting a path traversal attack into this parameter, reseller accounts with the ‘park-dns’ ACL could overwrite arbitrary files on the system with a Perl storable file with predictable contents.

[7] Arbitrary code execution as root for ACL limited resellers via cluster configuration interfaces.

Resellers with the ‘clustering’ ACL could inject data using newlines and NUL bytes into the form parameters of the cluster configuration interfaces. This flaw could then be leveraged to execute arbitrary code as root via string eval()s in various other interfaces.

[8] Injection of arbitrary settings into cpuser files via mxcheck setting.

The WHM /script2/savemx and /cgi/zoneeditor.cgi interfaces allowed resellers with the “edit-mx” or “edit-dns” ACLs to modify the mxcheck setting for accounts under their control. By injecting newlines into this setting, a malicious reseller could alter other settings for the account that are stored in the account’s cpuser file.

[9] ACL limited resellers allowed to disable digest authentication for arbitrary accounts.

Due to a lack of ACL enforcement, an ACL limited reseller could disable digest authentication for any account on the system using WHM’s XML-API. The ACL protections for this functionality have been updated to require that ACL limited resellers own any accounts they modify in this fashion.

[10] ACL limited resellers allowed to restore backups for the accounts they control.

The WHM XML-API allowed all resellers to restore backups for any accounts they own. The equivalent functionality in WHM’s HTML interfaces restricted the ability to restore accounts from backups to resellers with the “all” ACL.

[11] Mis-assignment of IP addresses for ACL limited resellers via createacct.

With certain combinations of IP delegations and free IP address space, reseller accounts with the ‘add-pkg-ip’ ACL could install new accounts onto IP addresses delegated to another reseller. This might allow a malicious reseller account to capture web traffic intended for other accounts on the system.

[12] Arbitrary code execution for ACL limited resellers during account creation.

A flaw in the new account creation process resulted in the Ruby ‘gem’ command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root’s UID during the account creation process.

[13] Multiple XSS vulnerabilities in various interfaces cPanel/WHM.

Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.

The above security issues were discovered by Rack911, cPanel security team and few individual users.