Web hosting platform cPanel & WHM is vulnerable to authenticated RCE and privilege escalation – The Daily Swig

admin on August 14, 2021 Leave a Comment

Adam Bannister11 August 2021 at 10:58 UTC Updated: 13 August 2021 at 10:29 UTC

Pen testers and vendor disagree over appropriate mitigations

Security researchers have achieved remote code execution (RCE) and privilege escalation on web hosting platform cPanel & WHM via a stored cross-site scripting (XSS) vulnerability.

cPanel & WHM is a suite of Linux tools that enable the automation of web hosting tasks via a graphical user interface (GUI). cPanel is used in the hosting of more than 168,000 websites, according to Datanyze.

During a black-box pen test, RCE was also demonstrated via a more convoluted CSRF bypass chained with across-site WebSocket hijacking attack that was possible because WebSockets failed to check their requests Origin header, according to a technical write-up published by Adrian Tiron, cloud AppSec consultant at UK infosec firm Fortbridge.

The Websocket hijacking attack was tested in Firefox, since Chrome has SameSite cookies enabled by default.

The web hosting firm has not fixed these flaws it only patched a separate, XXE vulnerability reported by Fortbridge because attackers must be authenticated with a reseller account with permission to edit locales, which is not a default configuration.

The Locale interface can only be used by root and Super Privilege resellers that root must grant this specific ACL to, Cory McIntire, product owner on the cPanel security team, told The Daily Swig.

This is labelled a Super Privilege with a warning icon in the server admins WHM interface and also flagged as such in the cPanel documentation, he added.

DONT FORGET TO READ Top Hacks from Black Hat and DEF CON 2021

When you expand this icon, it is explained to the server admin that they will be allowed to insert HTML into this interface, as many of our customers expect to be able to do.

He added: Again, this is an option root must enable for the reseller and should only be done so for users that are trusted as though you are giving them root to your server.

However, Tiron believes the XSS could have been fixed while maintaining the intended functionality.

He told The Daily Swig: What theyre saying is correct, in a sense that this covered by the documentation, but just because its documented doesnt make it secure. People dont often read documentation and theyre not [usually] security experts either, so they won't be able to make the right decision most of the time.

Weve seen this approach quite a lot recently, with other vendors weve worked with. The correct approach should be secure by default, not its documented, its your responsibility now.

Catch up on the latest cybersecurity vulnerability news

The researcher suggests the issue could have been completely mitigated by applying some filtering/encoding on that vulnerable input.

He added: Even if they consider the edit locale as a super privilege this wasnt clear to us during the pen test and it was definitely not clear to our customer either.

cPanels McIntire said that to protect themselves the server admin would simply have to remove any Locale Super Privileges granted to untrusted resellers.

We appreciate Fortbridges responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue, he continued.

It is of upmost importance that you only give Super Privileges to people you would trust with root on your server.

Tiron said cPanel was notified of the vulnerabilities during May and June of this year.

RECOMMENDED A whole new attack surface Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

Read more:
Web hosting platform cPanel & WHM is vulnerable to authenticated RCE and privilege escalation - The Daily Swig

Related Posts
Posted in Cloud Hosting

Comments are closed.