cPanel is the industry leader in web hosting management software. According
to their
website, the software is used on "tens of thousands of servers
worldwide". Basically, cPanel provides all the traditional UNIX
system administration tools through a web-based interface. The interface is
very nice, and I have a healthy chunk of respect for the perl-fu of the
developers that built it.
From a security aspect, however, the software is flawed by design. The
first problem is that mass hosting is the dumbest idea in the world.
I'll talk about that in future posts.
The second problem, and the point of this post, is that by combining
low-level tools with a web interface, you tend to get the worst of both
worlds. An attacker can use techniques from the still-relatively-new
domain of web application security to perform old-school attacks that have
been fixed many times over.
It turns out that you can, in fact, use cross-site scripting to hack a server
Here's an example. I have quite a few more XSS and CSRF holes, but
this should suffice for making my point.
Every cPanel user's account contains a file titled .contactemail in
its home directory. This is used to tell the server and administrators who
to email when things go south, and can be changed by the user through the
cPanel interface, the file manager tool, FTP, or through local scripts.
It's only a text file, after all. Assuming we set our email address
to:
"onmouseover="alert(1337)
When the friendly system administrator tries to reset our email address
(because we forgot our password, obviously), he will receive an alert box
in his browser.
But an alert box doesn't really demonstrate anything. Fortunately the
WHM (Web Hosting Manager) interface has enough functionality that we can
perform just about any system-level task we want. This one will reset the
root password to 'owned':
"onmouseover="f=document.forms[0];f.action='/scripts/passwd';f.user.value='root';f.removeChild(f.domain);d=document.createElement('input');f.appendChild(d);d.name='password';d.value='owned';d=document.createElement('input');f.appendChild(d);d.name='password2';d.value='owned';f.submit()
Of course, the only limit is your imagination- WHM can set up cron jobs,
add and delete users, send full backups to a server of your choice, and
reformat hard drives.
I'll be honest- I like having a web-based administration for servers,
routers, printers, and other appliances. Web standards are cross-platform,
and browser support is getting better all the time. But do we really need
to replace shell-based administration with a web interface? I'm not
going to answer "no" right away, but if you're going to do
it, you need to be aware of the risks, and awfully careful.
Based on my experiences as both a coder and a penetration tester, a huge
majority of developers (even the really good ones) don't understand
what security risks there are, much less how to mitigate them. This
isn't a problem that is limited to web developers, but it is much more
pronounced in that field.
With that in mind, many of my future posts are going to be directed not to
other security researchers, but to developers. If they are going to make
an interface for managing a server, hopefully they care enough to educate
themselves on the risks.
The exploit code above was last tested with cPanel 11.23.4-R26118/WHM
11.23.2 on 8-4-2008.
I've had a few people contact me about this cPanel exploit- mostly
people I'd rather not give further information to (sorry guys, but
you're not even very good at being bad guys). Unfortunately, I also
don't think anything will get fixed unless it gets made public.
I did some more work on the WHM interface, and it turns out that XSS
isn't even necessary to change the root password. It can all be done
with CSRF:
http://victim.com:2086/scripts/passwd?user=root&password=owned&password2=owned&submit-domain2=Change+Password
In case you're not familiar with CSRF, it is a vulnerability that is
extremely underrated- forcing authenticated users to perform actions for
you via well placed links, resource tags, or open redirects.
Let me repeat that: If you are logged into cPanel, and you hit a website
that I can embed an image link in (which is nearly every web site out
there, these days), I can root your server. I What's more, I
won't leave any traces at all, because you actually root the server
for me.
This is a big deal.
But it's worse than that. There are plenty of other CSRF holes in the
WHM interface. Here, I can force you to download and install arbitrary
code from cPanel's servers, downgrading or upgrading your software to
a vulnerable version at will:
http://victim.com:2086/scripts2/saveuthemes?themetype=modules&${moduleName}=${versionNumber}
One final point, in case you think needing local access for my permanent
XSS hole is too much work, here's a reflected XSS exploit:
http://victim.com:2086/scripts2/confdkillproc?%3Cscript%3Ealert(1337)%3C/script%3E=1&trusted=
Seriously, folks. Web-based management interfaces are a bad idea.