Posted by: paragon | October 22, 2006

cPanel: 0 Day cPanel Exploit in Wild

Content: WebHostGear.com http://www.webhostgear.com/369.html

Aggregation: ParagonHost.com http://www.paragonhost.com

0 Day cPanel Exploit in Wild

UGRENT THE /scripts/upcp fix that cPanel has claimed to fix your server DOES NOT. Read below!

A new 0 day cPanel exploit for root access is in the wild affecting hosts. News of this is spreading very quickly around the web and cPanel has released a band aid patch fix. You can patch your server by simply running /scripts/upcp from shell. The update will not change your release or build number either.

Notes on the cPanel Exploit:

– This is a 0 day issue, and a patch from cPanel for it was just relased on Sept. 23, 2006
– This exploit gives the attacker root access
– You will not detect this with rkhunter/chkrootkit
– You will not know you have been rooted
– It has been confirmed to be affecting more than just one hosting provider in different datacenters.

This was first seen targeting HostGator.com one of the largest shared and reseller cPanel hosts out there.
NetCraft Reports of cPanel exploit
Slashdot picks up the story
Post 1 on WHT about the alert
Post 2 on WHT about the issue

How to Fix:From Dave of cPanel, Inc.
“Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.”
Login as root and run /scripts/upcp this will patch your server. cPanel has NOT increased the build # after you’ve been patched, I have no idea why since this is a major hole.
UPDATE: This is NOT true. See my testing results of how to REALLY fix your serverNice work cpanel, you tell us we’re patched when your patch isn’t working.
I HOPE this is a bug in your cpanel checker only but somehow I really really doubt it.
Guys /scripts/upcp doesn’t fix your server, you HAVE to force it.

See http://forums.cpanel.net/showthread….d=1#post272856

Here’s the post if you don’t have access:

You MUST run /scripts/upcp –force

I just confirmed this on about 3 servers. Here are the findings.

I did a /scripts/upcp on this box last night right after the fix was announced and to DO a /scripts/upcp

So let me test their patcher… I should be safe right, WRONG.

root@ocean [~]# wget http://layer2.cpanel.net/installer/sec092306.pl
–13:57:23– http://layer2.cpanel.net/installer/sec092306.pl
=> `sec092306.pl’
Resolving layer2.cpanel.net… 69.90.250.34, 69.90.250.35, 69.90.250.36, …
Connecting to layer2.cpanel.net[69.90.250.34]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5,479 [text/plain]

100%[====================================>] 5,479 –.–K/s

13:57:23 (75.73 MB/s) – `sec092306.pl’ saved [5,479/5,479]

root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…

not safe

Done

root@ocean [~]# /usr/local/cpanel/cpanel -V
10.8.2-RELEASE_119

/scripts/upcp

All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels…cpanel/version (0)….@198.66.78.12……connected……receiving …100%……Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Versions Match! (10.8.2-RELEASE_119). You are running the latest RELEASE.
Updating addon typecripts addonhpBB version:2.0.19-1.0…….Done
Updating addon typecripts addon:AdvancedGuestBook version:latest…….Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8…….Done
Updating addon type:modules addonro version:1.0rc36…….Done
Updating addon type:modules addonpamdconf version:0.5…….Done
Rebuilding Process List…Done
Scanning for new mail senders…..Done
Scanning suexec_log.Done

root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…

not safe

Done
root@ocean [~]#

WTF

/scripts/upcp –force

All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels…cpanel/version (0)….@ 100%……Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Installed Version: forced install
Newest Version: 10.8.2-RELEASE_119

….lots of lines later….

aiting for cppop to shutdown……Done
Waiting for cppop-ssl to shutdown……Done
==> Starting SSL tunnel…
Waiting for cpsrvd to shutdown……Done
Waiting for cpsrvd-ssl to shutdown……Done
==> Start Melange Chat Services…
==> Post Install Complete

Broadcast message from root (Sun Sep 24 14:08:17 2006):

cPanel Layer 2 Install Complete
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Updating addon typecripts addonhpBB version:2.0.19-1.0…….Done
Updating addon typecripts addon:AdvancedGuestBook version:latest……Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8…….Done
Updating addon type:modules addonro version:1.0rc36…….Done
Updating addon type:modules addonpamdconf version:0.5…….Done
Rebuilding Process List…Done
Rebuilding Process List…Done
Scanning for new mail senders…..Done
Scanning suexec_log.Done

Lets check now
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…

safe

Done
root@ocean [

Nice work guys… lol

How to tell if you’re already infected?
We can review your server and provide a detailed report and see if the exploit has infected your servers.

But I have a Firewall and run things like Mod_security, would I still be infected?
Yes! You were still 100% open to the exploit and may be infected.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: