The cPanel and WHM web hosting platform is vulnerable to Authenticated RCE and Elevation of Privilege

Adam Bannister August 11, 2021 at 10:58 UTC

Updated: August 13, 2021 10:29 UTC

Pen testers and supplier disagree on appropriate mitigation measures

Security researchers have successfully completed Remote Code Execution (RCE) and elevation of privilege on the cPanel and WHM web hosting platform through a stored cross-site scripting (XSS) vulnerability.

cPanel & WHM is a suite of Linux tools that allow the automation of web hosting tasks through a graphical user interface (GUI). cPanel is used in hosting over 168,000 websites, according to Datanyze.

During a black box pen test, RCE was also shown to be a ‘more complicated’ CSRF bypass chained with a cross-site WebSocket hacking attack that was possible because WebSockets did not verify the Origin header. of their requests, according to a technical writing published by Adrian Tiron, Cloud AppSec consultant for UK-based infosec Fortbridge.

The Websocket hacking attack has been tested in Firefox because Chrome has SameSite cookies enabled by default.

‘Super Privileges’ required

The web hosting company did not correct these flaws – it only patched a separate XXE vulnerability reported by Fortbridge – because attackers must be authenticated with a reseller account with permission to change regional settings, which is not a default configuration.

“The Local interface can only be used by root and Super Privilege resellers to which root must grant this specific ACL,” said Cory McIntire, product owner of the cPanel security team. The daily sip.

This is tagged as a ‘super privilege’ with a warning icon in the server administrator’s WHM interface and also flagged as such in the cPanel Documentation, he added.

DON’T FORGET TO READ The best Black Hat and DEF CON hacks 2021

“When you expand this icon, it is explained to the server administrator that they will be allowed to insert HTML into this interface, as many of our customers expect to be able to do.”

He added: “Again, this is an option that root should enable for the reseller and should only be done for trusted users, like giving them the root of your server.”

‘Secure by default’

However, Tiron believes the XSS “could have been fixed while still retaining the functionality it intended.”

He said The daily sip: “What they say is correct, in a sense that it’s covered in the documentation, but just because it’s documented doesn’t make it sure. People don’t read the literature often, and they’re not [usually] Security experts either, so they won’t be able to make the right decision most of the time.

“We’ve seen this approach a lot recently, with other vendors we’ve worked with. The correct approach should be ‘secure by default’, not ‘it’s documented, it’s your responsibility now’.

Keep up to date with the latest news on cybersecurity vulnerabilities

The researcher suggests that the problem could have been completely mitigated “by applying filtering / coding on this vulnerable entry”.

He added: “Even though they see the ‘changing locale’ as a ‘super privilege’ it was not clear to us during the penetration test and it was certainly not clear to our client no more.”

McIntire of cPanel said that to protect himself, the server administrator should simply remove any regional super privileges granted to “untrusted” resellers.

“We appreciate Fortbridge’s responsible disclosure and hope that these explanations will alleviate our customers’ concerns about this issue,” he continued.

“It is of the utmost importance that you only give super privileges to people you trust with root on your server. “

Tiron said cPanel was made aware of the vulnerabilities in May and June of this year.

ADVISED “A whole new attack surface” – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

James S. Joseph