Ability to inject and execute any code as root in SysCP Feb 07 2007 09:09PM
flo syscp org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The System Control Panel
www.SysCP.org

-= Security Advisory =-

Advisory: Ability to inject and execute any code as root in SysCP
Release Date: 2007/02/02
Last Modified: 2007/02/07
Author: Florian Lippert <florian.lippert (at) syscp (dot) org [email concealed]>
Application: SysCP <= 1.2.15
Severity: Arbitrary code execution
Risk: Critical
Status: Patch and new release provided

Overview:

SysCP, the System Control Panel is a server administration tool
which enables an internet service provider to give their customers
a web-based application to administrate their email addresses,
their subdomains etc.
Two security issues, both making a remote code execution possible,
were discovered recently:
1) Within the panel, a customer can inject any malicious code which will
be executed by the cronjob, which runs as super user. This security
issue was discovered by Daniel Schulte <daniel (at) byteways (dot) de [email concealed]> and only
affects SysCP 1.2.15
2) With having access to the syscp-database one could insert any file to
be executed into panel_cronscript table. This security issue was
discovered by Martin Burchert <eremit (at) syscp (dot) org [email concealed]> and affects all
SysCP releases from 1.2.3 up to 1.2.15.

Details:

1) It's possible for a customer to create a directory-structure like
"; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "
inside his homedir. If the customer tries to protect this directory with
the control panel, the cronscript will execute this command as root and
the customer has the MySQL-root-password inside his ftp-directory.
2) If an attacker has access to the database he could add any php file to
the table 'panel_cronscript', for example one that he uploaded into his
dir and which adds a new root-user or installs a backdor etc. Due to not
validating or restricting the files which are "include_onced" on
scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be
executed as the user which also executes the cronscript, normally root.

Recommendation:

For security issue #1 patch your installation with the provided patch
(http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to
SysCP 1.2.16, which fixes both security issues.

GPG-Key:
pub 1024D/5B97D56B 2007-02-07 Florian Lippert <flo (at) syscp (dot) org [email concealed]>
Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B

EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy
dP3ag9i/r99Yvs7Dk4JNgDI=
=cqyF
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus