|
|
A hacker can gain command line access to their cPanel account even after you've suspended it, additionally, they can get shell access even if you have disabled it in WebHost Manager (WHM).
|
|
The logic behind the first vulnerability stems from the "feature" of cPanel, which allows some aspects of email to remain operational, even if an account is suspended. While they disable certain email features, such as mailman, pipes to scripts added by the user are left active. One feature of most email systems is for an email address to be forwarded (piped) to a script, an incoming email acts as a "trigger" to execute that script. A common use for this is if you have an auto-responder, which adds a user to a database and send them a series of emails.
The fact that this stays active after an account has been suspended, poses a huge security risk, since a malicious user, or a hacker who has compromised a cPanel account, can add a forwarder to a script which spawns a reverse shell back to them for later use, on demand, in the event the account gets suspended. Such scripts are widely available on many sites, including one of my favorties, PenTest Monkey: pentestmonkey.net/tools/web-shells/perl-reverse-shell
Once in a reverse shell the attacker can do many things, such as run perl scripts, crash the server, send spam, look at other user's files, exfiltrate data, and in the case of an additional security vulnerability, possibly escalate their privileges.
For the purpose of this proof of concept, shell access will be set to "Disabled Shell" in WHM for the user I'm testing with. Full Story |
