March 2007

Monthly Archive

Fri 30 Mar 2007

Finding SUID scripts on cPanel

Posted by cPanelNinja under Security News
No Comments 

On occasion we might need to do some forensic security work on a compromised cPanel server.

If the machine was fully compromised at the root level, chances are the machine will either be rootkitted, or the attacker will leave a SetUID (SUID) script or shell lying around. Here are a few techniquest to help you find these.

  1. Using the 'find' command

    securebox# find / -user root -type f \( -perm -4000 -o -perm -2000 \) -print

    This method will use *nix's common 'find' command to search the entire filesystem. Note that you might find a lot of false positives searching the entire filesystem, since there are many legitimate programs that need to be setuid (/bin/passwd, for example).

     

    (more…)

     

Fri 30 Mar 2007

MySQLAdmin Security Exploit

Posted by cPanelNinja under Official Alerts
1 Comment 

———————————————
Summary:
———————————————

Due to a recently discovered bug, it will be necessary for users
who are running the CURRENT, RELEASE and STABLE branches to run a cPanel software update.

———————————————
Description:
———————————————
An uncompilied mysqladmin script allowed an exploited copy of MySQL.pm to be places within the directory location of mysqladmin. This copy of MySQL.pm would be given preference by mysqladmin due to the precedence order of perl module searches. A malicious user could then use an exploited copy of MySQL.pm to elevate their system access (including root access).

A patch for this issue has been released. (more…)

 

Fri 30 Mar 2007

cPanel Security Vulnerability Advisory (2004)

Posted by cPanelNinja under Official Alerts
No Comments 

This cPanel Security Vulnerability has been out there for quite a while, but I've seen some servers still being exploited…!

(2004)

———————————————
Summary:
———————————————

Due to a recently discovered bug, it will be necessary for users
following the STABLE and RELEASE branches to disable the feature that
allows users to reset their password. For those following the EDGE and
CURRENT branches, the latest updates have been fixed.  A review of the
RELEASE tree is still pending, and fixed RELEASE builds may be available
in the next 48 hours as well.

 

———————————————
Description:
———————————————

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.
This hole is built in to all compiled cpanel binaries and as such can
not be "patched".
(more…)