AOH :: HP Unsorted A :: C07-2265.HTM

Ability to inject and execute any code as root in SysCP



Ability to inject and execute any code as root in SysCP
Ability to inject and execute any code as root in SysCP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                      The System Control Panel
www.SysCP.org 

                      -= Security Advisory =-


     Advisory: Ability to inject and execute any code as root in SysCP
 Release Date: 2007/02/02
Last Modified: 2007/02/07
Author: Florian Lippert  
  Application: SysCP <= 1.2.15
     Severity: Arbitrary code execution
         Risk: Critical
       Status: Patch and new release provided


Overview:

  SysCP, the System Control Panel is a server administration tool 
  which enables an internet service provider to give their customers 
  a web-based application to administrate their email addresses, 
  their subdomains etc. 
  Two security issues, both making a remote code execution possible,
  were discovered recently:
  1) Within the panel, a customer can inject any malicious code which will
     be executed by the cronjob, which runs as super user. This security
issue was discovered by Daniel Schulte  and only 
     affects SysCP 1.2.15
  2) With having access to the syscp-database one could insert any file to
     be executed into panel_cronscript table. This security issue was
discovered by Martin Burchert  and affects all 
     SysCP releases from 1.2.3 up to 1.2.15.

Details:

  1) It's possible for a customer to create a directory-structure like
     "; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "
     inside his homedir. If the customer tries to protect this directory with
     the control panel, the cronscript will execute this command as root and
     the customer has the MySQL-root-password inside his ftp-directory.
  2) If an attacker has access to the database he could add any php file to
     the table 'panel_cronscript', for example one that he uploaded into his
     dir and which adds a new root-user or installs a backdor etc. Due to not
     validating or restricting the files which are "include_onced" on
     scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be
     executed as the user which also executes the cronscript, normally root.

Recommendation:

  For security issue #1 patch your installation with the provided patch
(http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to 
  SysCP 1.2.16, which fixes both security issues.

GPG-Key:
pub 1024D/5B97D56B 2007-02-07 Florian Lippert  
  Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B

EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy
dP3ag9i/r99Yvs7Dk4JNgDI=cqyF
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.