cPanel's 'reset users password module' which came out with the recent cpanel releases is a 'backdoor' to allow users to not only reset their password but also allows malicous users to basically take over your server.. (reboot, delete, etc.)
Right now the main thing we know this lets you do is it allows anyone to change anyones password.
Here's a quick How-To fix this problem..
Fix cPanel
Posted here because I think more people can find it faster and easier, but mods you can move to a how-to category if you choose.
Full Version: cPanel Vulnerability - All Server Owners w/Cpanel - READ
Is just turning it off in WHM enough? I turned this off right after they introducted it.
My customers on't update their email in cpanel, so when they started using this feature it would not work. It is nice and all, but they need to fix it. Like not reset a password without a email added in cpanel.
My customers on't update their email in cpanel, so when they started using this feature it would not work. It is nice and all, but they need to fix it. Like not reset a password without a email added in cpanel.
From what i recall this feature was enabled automatic when it was added (to stable) I remember trying it and thinking this looks like a bit of a hackers dream but thought cpanel knew what they were doing so kept it enabled.. lol how wrong and should of known better. I do not think that feature should of been enabled automatic when it first was introduced - we should of been required to enable it.
By the way when its disabled in tweak settings do you guys still get the warning message in news ? (i thought it would of went after it was disabled)
By the way when its disabled in tweak settings do you guys still get the warning message in news ? (i thought it would of went after it was disabled)
Allow cPanel users to reset their password via email:
Interesting that mine was already unchecked and
/usr/local/cpanel/base/resetpass.cgi was already chmod 600.
I'm on WHM 8.8.0 cPanel 8.8.0-R73
Interesting that mine was already unchecked and
/usr/local/cpanel/base/resetpass.cgi was already chmod 600.
I'm on WHM 8.8.0 cPanel 8.8.0-R73
Yes it's enabled by default, disabling it should be enough but why not place it safe and chmod to 600.
Strange. I couldn't find the "reset feature" in my WHM panel. Am using an older version 8.5.xx. Does it mean my panel is safe?
QUOTE
Originally posted by jcv
Strange. I couldn't find the "reset feature" in my WHM panel. Am using an older version 8.5.xx. Does it mean my panel is safe?
Strange. I couldn't find the "reset feature" in my WHM panel. Am using an older version 8.5.xx. Does it mean my panel is safe?
It means you don't have the feature.. cuz your cPanel is to old. But there may be other bugs since you are running an older version..
QUOTE
Originally posted by todw
cPanel's 'reset users password module' which came out with the recent cpanel releases is a 'backdoor' to allow users to not only reset their password but also allows malicous users to basically take over your server.. (reboot, delete, etc.)
Right now the main thing we know this lets you do is it allows anyone to change anyones password.
Here's a quick How-To fix this problem..
Fix cPanel
Posted here because I think more people can find it faster and easier, but mods you can move to a how-to category if you choose.
cPanel's 'reset users password module' which came out with the recent cpanel releases is a 'backdoor' to allow users to not only reset their password but also allows malicous users to basically take over your server.. (reboot, delete, etc.)
Right now the main thing we know this lets you do is it allows anyone to change anyones password.
Here's a quick How-To fix this problem..
Fix cPanel
Posted here because I think more people can find it faster and easier, but mods you can move to a how-to category if you choose.
Here is more info from Cpanel.net
http://www.securityfocus.com/archive/1/357...09/2004-03-15/0
Thanks for the info, that always looked like a bad idea...
QUOTE
Originally posted by LinuxWannaBe
Here is more info from Cpanel.net
http://www.securityfocus.com/archive/1/357...09/2004-03-15/0
Here is more info from Cpanel.net
http://www.securityfocus.com/archive/1/357...09/2004-03-15/0
That wasn't posted on purpose and had a reason it was removed from EVERY THREAD from WHT to cpanel.. it details the exploit and how to use it.. remove it
QUOTE
Originally posted by LinuxWannaBe
Here is more info from Cpanel.net
http://www.securityfocus.com/archive/1/357...09/2004-03-15/0
Great, they have some sort of "adware" linked on that site that crashed my IE6 browser while trying to load itself...
Here is more info from Cpanel.net
http://www.securityfocus.com/archive/1/357...09/2004-03-15/0
Nice for a security focus place!
Shortzz
Guys they are scanning and hitting the exploitable boxes fast. Guys on other forums are starting to report backdoor scripts being installed, and complete 'takeovers'...
So if you haven't UPDATE or FIX!
So if you haven't UPDATE or FIX!
QUOTE
Originally posted by todw
That wasn't posted on purpose and had a reason it was removed from EVERY THREAD from WHT to cpanel.. it details the exploit and how to use it.. remove it
That wasn't posted on purpose and had a reason it was removed from EVERY THREAD from WHT to cpanel.. it details the exploit and how to use it.. remove it
Todd, the exploit you mentioned is only one of several new Cpanel exploits revealed in the last 24 hours. I also happen to believe that hackers/crackers read Security Focus whether or not we mention it here. In any case, it would be great if EV1 sent alerts to owner's of Cpanel boxes.
There is no point in not posting the BugTraq post here... hackers can subscribe to that list too.
The bottom line: THERE IS A MAJOR CPANEL EXPLOIT THAT HAS BEEN POSTED TO BUGTRAQ!
It's "out there". The bell cannot be unrung. Hackers are going to be scanning this place, and if you're just joining us now, you may have been rooted.
The bottom line: THERE IS A MAJOR CPANEL EXPLOIT THAT HAS BEEN POSTED TO BUGTRAQ!
It's "out there". The bell cannot be unrung. Hackers are going to be scanning this place, and if you're just joining us now, you may have been rooted.
Very True Guys, I was just trying to help in every possible way.
Lots more are reporting 'tornkit8' I believe is the name.. make sure you are up to date
Lots more are reporting 'tornkit8' I believe is the name.. make sure you are up to date
Does the vulnerability allow outsiders to get "into" the box with some special tool or going to a specific url? Or does it mean that if you are a webhost that a customer of yours can upgrade from regular user status to root?
QUOTE
Originally posted by Clark
Does the vulnerability allow outsiders to get "into" the box with some special tool or going to a specific url? Or does it mean that if you are a webhost that a customer of yours can upgrade from regular user status to root?
Does the vulnerability allow outsiders to get "into" the box with some special tool or going to a specific url? Or does it mean that if you are a webhost that a customer of yours can upgrade from regular user status to root?
This exploit allows full root access to your server - no special tool is needed - I have tested the exploit and it works
I have tested this as well and can not see how they are getting root access, esp an outsider.
QUOTE
Originally posted by ljprevo
I have tested this as well and can not see how they are getting root access, esp an outsider.
I have tested this as well and can not see how they are getting root access, esp an outsider.
eh?
You can run any command at all as root . . . even wget a trojan . . .
It woudl appear someone used the vulnerability to upgrade me???
216.118.116.100 - [12/Mar/2004:22:21:54 -0600] "GET /resetpass/?user=|"`printf${IFS}"%bscripts%bupdatenow"${IFS}"057"${IFS}"057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:22:21:54 -0600] "GET /resetpass/?user=|"`printf${IFS}"%bscripts%bmanualupcp"${IFS}"057"${IFS}"057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:22:21:55 -0600] "GET /login/?user=|%22%60/scripts/upcp%20manual%60%22| HTTP/1.0" 301 0 "" ""
216.118.116.100 - |"`/scripts/upcp manual`"| [12/Mar/2004:22:21:55 -0600] "GET /login/?user=|%22%60/scripts/upcp%20manual%60%22| HTTP/1." 401 0 "" ""
I logged in this morning and wondered how the hell my box had been upgraded to 9.1.0-R72 (I was on 8.8.0-something)...
216.118.116.100 - [12/Mar/2004:22:21:54 -0600] "GET /resetpass/?user=|"`printf${IFS}"%bscripts%bupdatenow"${IFS}"057"${IFS}"057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:22:21:54 -0600] "GET /resetpass/?user=|"`printf${IFS}"%bscripts%bmanualupcp"${IFS}"057"${IFS}"057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:22:21:55 -0600] "GET /login/?user=|%22%60/scripts/upcp%20manual%60%22| HTTP/1.0" 301 0 "" ""
216.118.116.100 - |"`/scripts/upcp manual`"| [12/Mar/2004:22:21:55 -0600] "GET /login/?user=|%22%60/scripts/upcp%20manual%60%22| HTTP/1." 401 0 "" ""
I logged in this morning and wondered how the hell my box had been upgraded to 9.1.0-R72 (I was on 8.8.0-something)...
cpael pushed out an upgrade a few days ago
QUOTE
Nope, same one. If you are on the latest stable or have "reset password" set to off - you are safe.
QUOTE
Originally posted by freddo
The problem is that user input passed to the "user" parameter in the "login" section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters
The problem is that user input passed to the "user" parameter in the "login" section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters
You sure it sounds like it is different from the first vulnerabilty. The first one was related to the password reset section while this exploit deals with the "login" section.
read the security advisory again - it's a DIFFERENT one. However, I'm unable to reproduce it.
It's new and was fixed in cPanel forced update.
QUOTE
Originally posted by todw
It's new and was fixed in cPanel forced update.
I was told by Nick it was part of the "resetpassword" stuff and was not new - still you may know more about it than Nick...
It's new and was fixed in cPanel forced update.
It's a more serious issue than just ticking of the checkbox. If you got this exploit opened (even for a day), someone might already rooted into the box. (2 out of 4 of our testing Cpanel boxes) got this). Run chkrootkit and you'll see
Checking `ifconfig'... INFECTED
..
Checking `login'... INFECTED
...
Checking `pstree'... INFECTED
...
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Try to run "top", see if you get
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
Cleanup Details:
http://admin0.info/forum/showthread.php?p=136#post136
Checking `ifconfig'... INFECTED
..
Checking `login'... INFECTED
...
Checking `pstree'... INFECTED
...
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Try to run "top", see if you get
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
Cleanup Details:
http://admin0.info/forum/showthread.php?p=136#post136
Nice post for remove the torn rootkit! Of course if you do this still watch over your box very carefully over the next few weeks. Many hackers might install additional rootkits or custom backdoors that can not be found with chkrootkit. Luckily it seems like most of the hackers are just stupid script kiddies 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.