OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: cPanel/WHM demo account problems

From: Beau Henderson (silentbobgmail.com)
Date: Thu Mar 31 2005 - 16:44:22 CST


Next time, try submitting to securitycpanel.net or any of the contact
addresses ( even phone ) on the web site.. there are by the way, other
contact details on the web site, next time, at least look.

( I've passed this along to the above email address, incase you have
issues doing so yourself ).

On Wed, 30 Mar 2005 23:33:30 +0100, Richard Stanway
<bugtraqsecur1ty.net> wrote:
> Background
> ----------
> cPanel & WebHost Manager (WHM) is a next generation web hosting control
> panel system. Both cPanel & WHM are extremely feature rich as well as
> include an easy to use web based interface (GUI). The cPanel demo account
> feature creates a restricted username/password to the cPanel web interface
> which the reseller often then provides on their web site, inviting potential
> customers to try out the cPanel interface. Most of the cPanel interface is
> disabled in the demo mode to prevent anonymous users from uploading
> potentially dangerous content or otherwise causing a problem.
>
> Problem
> -------
> Since the cPanel demo user is created a real local user, shell access
> through SSH is possible. The demo account however is restricted by using a
> shell that displays a message indicating that the SSH is disabled and not
> allowing any commands to be used. It is possible to set up SSH port
> forwarding and login without invoking the shell, essentially giving
> anonymous users the ability to harness the server for proxying to local and
> remote destinations, bypassing IP based authentication to localhost (some
> SMTP servers regard 127.0.0.1 as authenticated for example) and other likely
> malicious actions.
>
> It is very likely the same problem also applies to local users who have not
> been granted explicit shell access, although the impact is slightly lessened
> as one might expect local users are not out to abuse their own shared web
> hosting server.
>
> Exploit
> -------
> Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to
> it using the provided username and password and set up some port forwarding.
>
> Solution
> --------
> Turn off the demo account feature and delete any demo accounts. As an
> additional measure, turn off SSH port forwarding or specify explicitly which
> users are allowed SSH access in the sshd config, do not rely on a restricted
> shell to prevent users from being able to use other SSH features. I'd never
> recommend anyone use the cPanel/WHM demo account feature at all, they are
> both very risky. Even the WHM demo hosted on cPanel's own server allowed
> remote root at one point in time.
>
> A note to vendors: please make it easy to report bugs. cPanel had a nice
> anonymous bug reporting form and status checking system last time I reported
> a bug, now it is replaced with BugZilla which requires spending time
> registering which personally I'm not going to be bothered with for reporting
> one bug.
>
> Richard Stanway
> http://www.r1ch.net/
>
> Technical articles: http://shsc.info/
>
>

--
Beau Henderson
http://www.ImInteractive.com