Scribd Logo
Upload

Welcome to Scribd!

  • 33 views

    About-Cpanel Bug

    Uploaded by

    uzen
    This document summarizes a security bug in cPanel that allows users to access other users' accounts on the server. It describes how the default configuration of cPanel uses mod_php, enabling any user running PHP scripts as the "nobody" system user and potentially accessing files of other users. The document recommends rebuilding Apache to use mod_phpsuexec to restrict users and scripts to their own accounts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    About-Cpanel Bug

    Uploaded by

    uzen
    33 views7 pages
    This document summarizes a security bug in cPanel that allows users to access other users' accounts on the server. It describes how the default configuration of cPanel uses mod_php, enabling any user running PHP scripts as the "nobody" system user and potentially accessing files of other users. The document recommends rebuilding Apache to use mod_phpsuexec to restrict users and scripts to their own accounts.

    Original Description:

    Original Title

    about-Cpanel Bug

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes a security bug in cPanel that allows users to access other users' accounts on the server. It describes how the default configuration of cPanel uses mod_php, enabling any user running PHP scripts as the "nobody" system user and potentially accessing files of other users. The document recommends rebuilding Apache to use mod_phpsuexec to restrict users and scripts to their own accounts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    33 views7 pages

    About-Cpanel Bug

    Uploaded by

    uzen
    This document summarizes a security bug in cPanel that allows users to access other users' accounts on the server. It describes how the default configuration of cPanel uses mod_php, enabling any user running PHP scripts as the "nobody" system user and potentially accessing files of other users. The document recommends rebuilding Apache to use mod_phpsuexec to restrict users and scripts to their own accounts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪Cpanel‬‬

    ‫ﻫﻤﺎﻥ ﻃﻮﺭ ﻛﻪ ﻣﻲ ﺩﺍﻧﻴﺪ‪ :‬ﻣﺘﺎﺳﻔﺎﻧﻪ ﻫﺮ ﺭﻭﺯ ﺷﺎﻫﺪ ﻫﻚ ﺷﺪﻥ ﺳﺮﻭﺭﻫﺎﻱ ﺑﺰﺭﮒ ﺍﻳﺮﺍﻧﻲ ﻫﺴﺘﻴﻢ ﻭﺍﻗﻌﹰﺎ ﺁﻳﺎ ﻣﻲ‬

    ‫ﺗﻮﺍﻥ ﺟﻠﻮﻱ ﺍﻳﻦ ﺣﻤﻼﺕ ﺭﺍ ﮔﺮﻓﺖ؟ ﭼﺮﺍ ﻭﻗﺘﻲ ﻣﻲ ﺗﻮﺍﻧﻴﻢ ﺑﺎ ﻛﻤﻲ ﻭﻗﺖ ﮔﺬﺍﺷﺘﻦ ﻭ ﻣﻄﺎﻟﻌﻪ ﺟﻠﻮﻱ ﺍﻳﻦ ﺣﻤﻼﺕ‬

    ‫ﺭﺍ ﺑﮕﻴﺮﻳﻢ ﻭ ﺍﺯ ﺧﺴﺎﺭﺍﺕ ﻣﺎﺩﻱ ﻭ ﻣﻌﻨﻮﻱ ﺁﻥ ﺟﻠﻮﮔﻴﺮﻱ ﻛﻨﻴﻢ ﺍﻳﻦ ﻛﺎﺭ ﻧﻤﻲ ﻛﻨﻴﻢ؟ ﻫﺮ ﺭﻭﺯ ﭼﻨﺪﻳﻦ ﻫﺰﺍﺭ‬

    ‫‪ Bug‬ﻭ ‪ exploit‬ﻛﺸﻒ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﻣﺎ ﺍﺯ ﺁﻧﻬﺎ ﺑﻲﺧﺒﺮﻳﻢ‪ .‬ﻣﺒﺤﺚ ‪ Security‬ﭼﻴﺰﻱ ﻧﻴﺴﺖ ﻛﻪ ﺑﺎ ﻳﻚ‬

    ‫ﻣﺪﺭﻙ ﺳﺎﺩﻩﻱ ﺍﻣﻨﻴﺖ ﺷﺒﻜﻪ ﺑﺘﻮﺍﻥ ﮔﻔﺖ ﺗﻮﺍﻧﺎﻳﻲ ﻛﺎﻓﻲ ﺩﺭ ﺍﻳﻦ ﺯﻣﻴﻨﻪ ﺭﺍ ﺩﺍﺭﺍ ﻫﺴﺘﻴﻢ‪ .‬ﻫﻢ ﺍﻛﻨﻮﻥ ﺑﻪ ﻳﻚ‬

    ‫ﺳﺮﻱ ﺍﺯ ﺗﻮﺻﻴﻪ ﻫﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺍﺷﺎﺭﻩ ﻣﻲ ﻛﻨﻴﻢ ﺗﻮﺳﻂ ﮔﺮﻭﻩ ‪ asquad‬ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬

    ‫ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﻣﻄﻤﺌﻦ ﺷﻮﻳﺪ ﺳﺮﻭﺭ ﺷﻤﺎ ﺩﺍﺭﺍﻱ ﺍﻳﻦ ﺑﺎﮒ ﻫﺴﺖ ﻳﺎ ﻧﻪ ﺍﻳﻦ ﻓﺎﻳﻞ ‪ php‬ﺭﺍ ﺭﻭﻱ ﺳﺮﻭﺭ ﺧﻮﺩ‬

    ‫ﺍﺟﺮﺍ ﻛﻨﻴﺪ‪.‬‬

    ‫‪http://64.240.171.106/cpanel.php‬‬

    ‫ﺍﻳﻦ ﺩﺭ ﻭﺍﻗﻊ ﻳﻚ ‪ local exploit‬ﺍﺳﺖ ﻛﻪ ﺑﺮﭘﺎﻳﻪ ‪ perl‬ﻧﻮﺷﺘﻪ ﺷﺪﻩ ﻭ ﻳﻜﻲ ﺍﺯ ﺧﻄﺮﻧﺎﻙ ﺗﺮﻳﻦ ‪Bug‬‬

    ‫ﻫﺎﻱ ﺁﻥ ﺩﺳﺘﺮﺳﻲ ﺍﺯ ﻃﺮﻳﻖ ‪ nobody shell‬ﺑﻪ ‪ user‬ﻫﺎﻱ ﺩﻳﮕﺮ ﺍﺳﺖ ﻳﻌﻨﻲ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺗﻨﻬﺎ ﺑﺎ ﺩﺍﺷﺘﻦ‬

    ‫ﻳﻚ ﺍﻛﺎﻧﺖ ‪ ftp‬ﺍﺯ ﻳﻚ ﺳﺮﻭﺭ ﺑﻪ ﻛﻞ ﺳﺎﻳﺖ ﻫﺎﻱ ﺭﻭﻱ ﺁﻥ ﺳﺮﻭﺭ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ‪ .‬ﺣﺘﻲ ﻣﻲ ﺗﻮﺍﻧﻴﺪ‬

    ‫ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﻗﺮﺑﺎﻧﻲ ﺍﺯ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻴﺪ ﻭ ﺍﻫﺪﺍﻑ ﺧﻮﺩ ﺭﺍ ﺍﺯ ﻃﺮﻳﻖ ﺁﻥ ﺳﺮﻭﺭ ﭘﻲ ﺑﮕﻴﺮﺩ‪.‬‬

    ‫‪1‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫ﻣﺘﺎﺳﻔﺎﻧﻪ ‪ cpanel‬ﺑﻪ ﺻﻮﺭﺕ ‪ default‬ﺑﺎ ﻣﺎﮊﻭﻝ ‪ mod_php‬ﻛﺎﺭ ﻣﻲ ﻛﻨﺪ ﺑﻨﺎﺑﺮﺍﻳﻦ ﺍﻛﺜﺮ‬

    ‫ﺳﺮﻭﻳﺲﺩﻫﻨﺪﻩ ﻫﺎﻱ ﻟﻴﻨﻮﻛﺲ ﺩﺍﺭﺍﻱ ﺍﻳﻦ ﻣﺸﻜﻞ ﻫﺴﺘﻨﺪ‪ .‬ﺍﻳﻦ ﻣﺎﮊﻭﻝ ﺍﻣﻜﺎﻥ ﺩﺳﺘﺮﺳﻲ ﻳﻚ ‪ user‬ﺑﻪ ﺩﻳﮕﺮ‬

    ‫‪ user‬ﻫﺎﻱ ﺳﺮﻭﺭ ﺭﺍ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪) UID-Min‬ﻛﻪ ‪ uid>=١٠٠‬ﻣﻲ ﺑﺎﺷﺪ( ﺭﺍ ﻣﻲ ﺩﻫﺪ‪.‬‬

    ‫ﺑﺮﺍﻱ ﺭﻓﻊ ﺍﻳﻦ ﻣﺸﻜﻞ ﺑﺎﻳﺪ ‪ apache‬ﺭﺍ ﺩﻭﺑﺎﺭﻩ ﺑﺮ ﭘﺎﻳﻪ ‪ mod_phpsuexec‬ﺳﺎﺧﺖ‪(Build) .‬‬

    ‫ﻫﻢ ﺍﻛﻨﻮﻥ ﺗﻤﺎﻡ ‪ cpanel‬ﻫﺎ ﺍﺯ ﺟﻤﻠﻪ ‪ stables ,Releases, current‬ﻭ ﺣﺘﻲ ‪Cpanel‬‬

    ‫‪RedHat‬‬ ‫ﻫﺎﻱ‬ ‫‪OS‬‬ ‫ﻫﻤﭽﻨﻴﻦ‬ ‫ﻫﺴﺘﻨﺪ‪.‬‬ ‫ﻣﺸﻜﻞ‬ ‫ﺍﻳﻦ‬ ‫ﺩﺍﺭﺍﻱ‬ ‫‪9.3.0-Edge-95‬‬

    ‫‪ 7.3,8,0,9,enterprize linux, fedora, freebsd‬ﺩﺍﺭﺍﻱ ﺍﻳﻦ ﻣﺸﻜﻞ ﻫﺴﺘﻨﺪ‪.‬‬

    ‫ﺑﻄﻮﺭ ﻛﻠﻲ ﻭﻗﺘﻲ ‪ mo_-php‬ﻓﻌﺎﻝ ﺍﺳﺖ ﺗﻤﺎﻡ ‪ script‬ﻫﺎﻱ ‪ php‬ﺑﺎ ﻫﻤﺎﻥ ﻛﺎﺭﺑﺮ ‪default web‬‬

    ‫‪ (nobody) server‬ﺍﻧﺠﺎﻡ ﻣﻲ ﺷﻮﺩ‪ .‬ﺍﻳﻦ ﺑﻪ ‪ user‬ﻫﺎ ﺍﻳﻦ ﺍﻣﻜﺎﻥ ﺭﺍ ﻣﻲ ﺩﻫﺪ ﻛﻪ ﻫﺮ ‪ script‬ﺍﻱ ﻛﻪ‬

    ‫ﺑﺨﻮﺍﻫﻨﺪ ﺑﺮﺍﻱ ﺳﺮﻭﺭ ﺍﺟﺮﺍ ﻛﻨﻨﺪ ﻭ ﺍﻳﻦ ﺑﺮﺍﻱ ﺳﺮﻭﺭﻫﺎﻳﻲ ﻛﻪ ﺑﻴﺶ ﺍﺯ ‪ ١‬ﺍﻛﺎﻧﺖ ﺩﺍﺭﺍ ﻣﻲ ﺑﺎﺷﻨﺪ ﻭ ﻧﻤﻲ‬

    ‫ﺧﻮﺍﻫﻨﺪ ‪ user‬ﻫﺎ ﺑﻪ ﻣﺤﺪﻭﺩﻩ ﻫﻢ ﺩﻳﮕﺮ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻨﺪ ﺧﻄﺮﻧﺎﻙ ﺍﺳﺖ )ﺑﻪ ﻃﻮﺭ ﻛﻠﻲ ‪web‬‬

    ‫‪server‬ﻫﺎ( ﻣﺘﺎﺳﻔﺎﻧﻪ ‪ mod-php‬ﺑﻪ ﺻﻮﺭﺕ ﭘﻴﺶ ﻓﺮﺽ ﺑﺮ ﺭﻭﻱ ‪ cpanel‬ﻧﺼﺐ ﻣﻲﺷﻮﺩ )ﻭ ﺍﻳﻦ‬

    ‫ﻣﺸﻜﻞ ﺑﺰﺭﮔﻲ ﺍﺳﺖ( ﺍﻟﺒﺘﻪ ﺗﻮﺟﻪ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﺍﻳﻦ ﻳﻚ ‪ Bug‬ﻳﺎ ‪ exploit‬ﻧﻴﺴﺖ ﺩﺭ ﻭﺍﻗﻊ ﻳﻚ ﺳﺮﻭﻳﺲ‬

    ‫ﻋﺎﺩﻱ ﻭ ﻃﺒﻴﻌﻲ ﻭ ﻣﺨﺼﻮﺹ ‪ mo_-php‬ﺍﺳﺖ ﻛﻪ ﻧﻤﻲ ﺗﻮﺍﻥ ﺁﻥ ﺭﺍ ﻣﻨﻊ ﻛﺮﺩ )ﻣﮕﺮ ﺑﺎ ﺗﺒﺪﻳﻞ ﺁﻥ ﺑﻪ ‪php‬‬

    ‫‪(suexce‬‬

    ‫ﺑﺎ ﺍﻳﻦ ﺣﺎﻝ ﺑﺎﺯ ﻫﻢ ‪ suexec‬ﺍﻱ ﻛﻪ ﻫﻤﺮﺍﻩ ‪ cpanel‬ﺍﺭﺍﺋﻪ ﻣﻲ ﺷﻮﺩ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍﻱ ﻛﻨﺘﺮﻝ ﻧﺎﺷﺪﻧﻲ ﻳﻚ‬

    ‫ﺳﺮﻱ ‪ script‬ﻫﺎ ﺭﺍ ﺑﻪ ‪ user‬ﻫﺎ ﻣﻲ ﺩﻫﺪ ﻛﻪ ﺍﻳﻦ ﺑﺎ ‪ suexec‬ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺩﺭ ﺧﻮﺩ ‪ apache‬ﻣﺘﻔﺎﻭﺕ‬

    ‫ﺍﺳﺖ‪ Cpanel .‬ﺑﺮﺍﻱ ﺭﻓﻊ ﺍﻳﻦ ﻣﺸﻜﻞ ‪ patch‬ﺍﻱ ﺍﺭﺍﺋﻪ ﻛﺮﺩﻩ ﺍﺳﺖ‪.‬‬

    ‫)‪(home/cpapachebuild/buildapache/suexec.patch‬‬

    ‫‪2‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫ﺍﻳﻦ ‪ patch‬ﻓﻘﻂ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍﻱ ﺍﻳﻦ ‪ script‬ﻫﺎ ﺭﺍ ﺑﺮﺍﻱ ‪ user‬ﻫﺎﻱ ﻣﺨﺼﻮﺹ ‪ wheel ،root‬ﺭﺍ‬

    ‫ﻣﻲﺩﻫﺪ‪ .‬ﻓﻘﻂ ﻣﺸﻜﻠﻲ ﺩﺍﺭﺩ ﻛﻪ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍﻱ ‪ shared scripts‬ﺭﺍ ﺩﺭ ﺻﻮﺭﺗﻲ ﻛﻪ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﺍﺻﻠﻲ ﺁﻥ‬

    ‫ﺩﺍﺭﺍﻱ ﺍﺟﺎﺯﻩ ‪ write‬ﺑﺮﺍﻱ ‪ user‬ﻫﺎ ﻭ ‪ group‬ﻫﺎﻱ ﺩﻳﮕﺮ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ‪.‬‬

    ‫ﻋﻼﻭﻩ ﺑﺮ ﺍﻳﻦ ﻫﻢ ﭼﻨﺎﻥ ﻳﻚ ﺳﺮﻱ ‪ script‬ﻫﺎﻱ ‪ perl‬ﻭ ‪ cgi‬ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻛﻪ ﺩﺍﺭﺍﻱ ﻗﺎﺑﻠﻴﺖ ‪exploit‬‬

    ‫ﺷﺪﻥ ﻣﻲ ﺑﺎﺷﻨﺪ‪ .‬ﺑﺮﺍﻱ ﻣﺜﺎﻝ‪:‬‬

    ‫‪/usr/local/cpanel/bin/proftodvhosts‬‬
    ‫‪/usr/local/cpanel/cgi-sys/addalinh.cgi‬‬
    ‫‪/usr/local/cpanel/cgi-sys/gustbook.cgi‬‬
    ‫‪/usr/local/cpanel/cgi-sys/mchat.cgi‬‬
    ‫…‬

    ‫ﺑﺮﺍﻱ ﺍﻃﻤﻴﻨﺎﻥ ﺍﺯ ﻭﺟﻮﺩ ﺍﻳﻦ ‪ expliot‬ﻫﺎ ﺑﺮﻭﻱ ﺳﺮﻭﺭ ﺧﻮﺩ ﺍﻳﻦ ﺩﺳﺘﻮﺭ ﺭﺍ ﺍﺟﺮﺍ ﻛﻨﻴﺪ‪.‬‬

    ‫‪Root@server01>find/usr/local / cpanel-user root-group wheel-type f-‬‬


    ‫‪perm+ 1| xargs-I echo `head-1{}| grep - q per | && head -1{}| grep-q-r-‬‬
    ‫‪e-T && ls - 1{}1 | sh‬‬

    ‫ﻼ ﺩﺭ ﺑﺮﺍﺑﺮ ﺍﻳﻦ‬
    ‫ﺍﮔﺮ ﺑﺎ ﺍﺟﺮﺍﻱ ﺍﻳﻦ ﺩﺳﺘﻮﺭ ﻫﻴﭻ ﭘﻴﻐﺎﻣﻲ ﺩﺭﻳﺎﻓﺖ ﻧﻜﺮﺩﻳﺪ ﺑﻪ ﺍﻳﻦ ﻣﻌﻨﻲ ﻛﻪ ﺳﺮﻭﺭ ﺷﻤﺎ ﻛﺎﻣ ﹰ‬

    ‫ﻧﻜﺎﺕ ‪ secure‬ﺍﺳﺖ‪ .‬ﻫﻤﭽﻨﻴﻦ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﻃﺮﻳﻖ ﺍﻳﻦ ﻟﻴﻨﻚ ﺳﺮﻭﺭ ﺧﻮﺩ ﺭﺍ ﺗﺴﺖ ﻛﻨﻴﺪ‪:‬‬

    ‫‪http://64.240.171.106/cpanel.php‬‬

    ‫ﺍﻳﻦ ‪ Script‬ﺳﺮﻭﺭ ﺷﻤﺎ ﺭﺍ ﺩﺭ ﺑﺮﺍﺑﺮ ﭼﻨﺪﻳﻦ ‪ vulnerability‬ﺗﺴﺖ ﻣﻲ ﻛﻨﺪ‪.‬‬

    ‫ﺍﻳﻦ ﻓﺎﻳﻞ ﻳﻚ ﺳﺮﻱ ‪ php script‬ﺑﺎ ﻳﻚ ‪ user‬ﻣﻌﻤﻮﻟﻲ ﺍﺟﺮﺍ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺑﺎﻋﺚ ﺍﺟﺮﺍﺷﺪﻥ ﻓﺎﻳﻞ ﺍﺻﻠﻲ‬

    ‫‪ tests.pl‬ﻣﻲ ﺷﻮﺩ‪ .‬ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﺍﻳﻦ ﺍﻃﻼﻋﺎﺕ ﻛﺎﻣﻞ ﺩﺭﺑﺎﺭﻩ ﺍﻳﻦ ‪ tester‬ﺩﺭﻳﺎﻓﺖ ﻛﻨﻴﺪ‪:‬‬

    ‫‪http://www.a-sqvad.co/audit‬‬

    ‫‪3‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫ﺍﻛﺜﺮ ﺳﺎﻳﺖﻫﺎ ﻫﺮ ﻛﺪﺍﻡ ﺭﻭﺷﻲ ﺑﺮﺍﻱ ‪ patch‬ﻛﺮﺩﻥ ﺍﻳﻦ ‪ Bug‬ﻫﺎ ﺍﺭﺍﺋﻪ ﻛﺮﺩﻥ ﻭﻟﻲ ﺍﻛﺜﺮﹰﺍ ﻛﺎﻣﻞ ﻧﻴﺴﺘﻨﺪ ﻭ‬

    ‫ﻳﺎ ﺩﺍﺭﺍﻱ ﺍﻳﺮﺍﺩ ﻫﺴﺘﻨﺪ‪ .‬ﺩﺭ ﺯﻳﺮ ﺑﻪ ﭼﻨﺪ ﺭﻭﺵ ﺍﺷﺎﺭﻩ ﻣﻲ ﻛﻨﻴﻢ‪:‬‬

    ‫‪-١‬ﺑﻬﺘﺮﻳﻦ ﻛﺎﺭ )ﻛﻪ ﺑﺎﻋﺚ ﺍﺯ ﺑﻴﻦ ﺭﻓﺘﻦ ﻣﺸﻜﻼﺕ ﺩﻳﮕﺮ ﻧﻴﺰ ﻣﻲ ﺷﻮﺩ( ﺗﻐﻴﻴﺮ ﻣﺎﮊﻭﻝ ‪ php‬ﺍﺯ ‪mod-‬‬

    ‫‪ php‬ﺑﻪ ‪ mod-phpssuexec‬ﻣﻲ ﺑﺎﺷﺪ‪ :‬ﺭﺍﻩ ﺍﻭﻝ‪ apache :‬ﺭﺍ ‪ compile‬ﻛﻨﻴﺪ‬

    ‫)»ﺷﻤﺎﺭﻩ ‪(/scripts/easyapache «٢‬‬

    ‫ﻭﻟﻲ ﻣﻮﺍﻇﺐ ﺑﺎﺷﻴﺪ ﺑﺴﻴﺎﺭﻱ ﺍﺯ ‪ permission‬ﻫﺎ ﻭ ‪ owner ships‬ﻫﺎ ﺑﺮﭘﺎﻳﻪ ‪phpscripts‬‬

    ‫ﺍﺳﺖ ﻭ ﺍﻳﻦ ﻛﺎﺭ ﺷﻤﺎ ﻣﻤﻜﻦ ﺍﺳﺖ ﺑﺎﻋﺚ ﺍﻳﺠﺎﺩ ﺍﺧﺘﻼﻝ ﺩﺭ ﺑﻌﻀﻲ ﺳﺎﻳﺖ ﻫﺎ ﺷﻮﺩ‪.‬‬

    ‫*ﺑﺎ ﻣﺴﺌﻮﻟﻴﺖ ﺧﻮﺩ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ‪.‬‬

    ‫‪-2‬ﻓﺎﻳﻞ ‪ patch‬ﺭﺍ ﭘﺎﻙ ﻛﻨﻴﺪ ﺑﻌﺪ ﺍﺯ ﺍﺟﺮﺍﻱ ‪buildapache‬‬

    ‫)‪(/home/cdapachbuidl/buildapach/suexea.patch‬‬
    ‫ﻭﻟﻲ ﺗﻮﺟﻪ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﻗﺒﻞ ﺍﺯ ﺍﻧﺘﺨﺎﺏ ﺭﺍﻩ ﺍﻭﻝ‪ :‬ﺍﻳﻦ ﺭﺍﻩ ﺳﺮﻭﺭ ﺷﻤﺎ ﺭﺍ ‪ secure‬ﻣﻲ ﻛﻨﺪ ﺍﻣﺎ ﻣﻤﻜﻦ‬

    ‫ﺍﺳﺖ ﻣﺸﻜﻼﺗﻲ ﺍﻳﺠﺎﺩ ﻛﻨﺪ ﻛﻪ ﺑﺴﺘﮕﻲ ﺑﻪ ‪ shared script‬ﻫﺎﻱ ﺷﻤﺎ ﻭ ‪ user‬ﻫﺎ ﻭ ﺳﺎﻳﺖ ﻫﺎﻱ ﺭﻭﻱ‬

    ‫ﺳﺮﻭﺭ ﺷﻤﺎ ﺩﺍﺭﺩ‪ .‬ﺑﺎ ﺍﻳﻦ ﺣﺎﻝ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺎ ﺧﻮﺩ ‪ mod-php‬ﻫﻢ ﻓﻌ ﹰ‬


    ‫ﻼ ﻣﺸﻜﻞ ﺭﺍ ﺣﻞ ﻛﻨﻴﺪ‪.‬‬

    ‫ﺷﺎﻳﺪ ﺑﻬﺘﺮ ﺑﺎﺷﺪ ‪ suexec.patch‬ﺍﺻﻼﺡ ﻛﻨﻴﺪ ﺗﺎ ﭘﻮﺷﻪ ﻫﺎﻱ ﺍﺻﻠﻲ ﺭﺍ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﺸﻜﻼﺕ ﺍﻣﻨﻴﺘﻲ‬

    ‫‪ Scan‬ﻛﻨﺪ )ﻗﺒﻞ ﺍﺯ ﺍﻳﻨﻜﻪ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍﻱ ‪ Script‬ﺭﺍ ﺑﺪﻫﺪ(‬

    ‫‪-3‬ﺍﮔﺮ ﻧﻤﻲ ﺗﻮﺍﻧﻴﺪ ﺭﺍﻩ ﺍﻭﻝ ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﻛﻨﻴﺪ ﻳﺎ ﻧﮕﺮﺍﻥ ﺍﻳﺠﺎﺩ ﻣﺸﻜﻞ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭ ﻭ ﻳﺎ ﻋﻮﺽ ﻛﺮﺩﻥ‬

    ‫‪ php engine‬ﺧﻮﺩ ﻫﺴﺘﻴﺪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺧﻮﺩ ﺑﺎ ﺗﻐﻴﻴﺮ ‪ Script‬ﻫﺎﻱ ‪ perl‬ﺑﺮﺍﻱ ‪ root.wheel‬ﺍﻳﻦ‬

    ‫ﻣﺸﻜﻞ ﺭﺍ ﺍﺯ ﺑﻴﻦ ﺑﺒﺮﻳﺪ ﺩﺭ ﺯﻳﺮ ﺭﻭﺷﻲ ﺑﺮﺍﻱ ﺍﻳﻦ ﻛﺎﺭ ﺫﻛﺮ ﻛﺮﺩﻩ ﺍﻳﻢ‪.‬‬

    ‫ﻛﺎﻓﻲ ﺍﺳﺖ ﻓﻘﻂ ﻳﻚ )‪ (-T‬ﺑﻪ ﺁﻥ ﻫﺎ ﺍﺿﺎﻓﻪ ﻛﻨﻴﻢ‪.‬‬

    ‫‪4‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫‪-------snip -------‬‬
    ‫‪---/usr/local/cpanel/bin/proftydvhosts.o‬‬ ‫‪2003-02-22‬‬
    ‫‪09:38:52.000000000 - 0700‬‬
    ‫‪+++/usr/local/cpanel/bin/proftpdvhosts‬‬ ‫‪2004-05-27‬‬
    ‫‪00:10:20.000000000 – 0600‬‬
    ‫@@ ‪@@-1 , 5 +1 , 6‬‬
    ‫‪-#! /usr/bin/perl‬‬
    ‫‪+#! /usr/bin/perl-T‬‬

    ‫;)”‪+% ENV = (PATH => “/usr/bin:/bin/:/sbin:/usr/sbin‬‬


    ‫{ ‪BEGIN‬‬
    ‫;)”‪Push @ INC, “/scripts‬‬
    ‫}‬
    ‫‪- - - - snap - - - -‬‬

    ‫ﻓﻘﻂ ﻣﺸﻜﻠﻲ ﻛﻪ ﺩﺭ ﺍﻳﻦ ﺭﻭﺵ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺑﺎ ﺍﻧﺠﺎﻡ ﺍﻳﻦ ‪ taint clean Script‬ﻫﺎ ﺑﻌﺪ ﺍﺯ‬

    ‫ﻫﺮ ‪ (/Scripts/upcp) cpanel, update‬ﺗﻤﺎﻡ ﺍﻳﻦ ﺗﻨﻈﻴﻤﺎﺕ ﺍﺯ ﺑﻴﻦ ﻣﻲ ﺭﻭﺩ ﻭ ﺩﻭﺑﺎﺭﻩ ﺑﺎﻳﺪ‬

    ‫ﺍﻧﺠﺎﻡ ﮔﺮﺩﺩ‪.‬‬

    ‫‪-٤‬ﺭﺍﻩ ﺭﺍﺣﺖ ﺗﺮ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ‪ owner ship‬ﺗﻤﺎﻡ ‪ untaint script‬ﻫﺎ ﺭﺍ ﺑﻪ ‪root wheel‬‬

    ‫ﺗﺒﺪﻳﻞ ﻛﻨﻴﺪ‪.‬‬

    ‫‪Chgrp root / usr/ local/cpanel/ hin / proft pdv hosts‬‬

    ‫ﺑﻨﺎﺑﺮﺍﻳﻦ ﺷﻤﺎ ﺍﺣﺘﻴﺎﺟﻲ ﺑﻪ ‪ fix‬ﻛﺮﺩﻥ ﻫﻴﭻ ‪ Script‬ﺍﻱ ﻧﺪﺍﺭﻳﺪ‪ .‬ﻓﻘﻂ ﻛﺎﻓﻲ ﺍﺳﺖ ‪Schared Script‬‬

    ‫ﻫﺎ ﺭﺍ ﺑﻪ ‪ root wheel‬ﺗﺒﺪﻳﻞ ﻛﻨﻴﺪ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﺮﺍﻱ ﺍﺟﺮﺍﺷﺪﻥ ﺁﻧﻬﺎ ﺣﺘﻤﹰﺎ ﺑﺎﻳﺪ ﺑﺎ ‪root ،group‬‬

    ‫‪ wheel‬ﻭﺍﺭﺩ ﺷﻮﻧﺪ‪.‬‬

    ‫ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﻛﻨﻢ ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺧﻴﺎﻝ ﺧﻮﺩ ﺭﺍ ﺭﺍﺣﺖ ﻛﻨﻴﺪ ﺗﻤﺎﻡ ‪ perl script‬ﻫﺎﻱ ﻗﺎﺑﻞ ﺍﺟﺮﺍ ﺭﺍ ﻛﻪ ﻣﺎﻝ‬

    ‫‪ root.wheel‬ﻫﺴﺘﻨﺪ ﺭﺍ ‪ taint clean‬ﻛﻨﻴﺪ ﺍﮔﺮ ﻧﻤﻲ ﺗﻮﺍﻧﻴﺪ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ ﻛﻨﻴﺪ ﺁﻥ ﺭﺍ ﭘﺎﻙ ﻛﻨﻴﺪ ﻳﺎ‬

    ‫‪ ownership‬ﺁﻥ ﺭﺍ ﺑﻪ ‪ root.wheel‬ﺗﻐﻴﻴﺮ ﺩﻫﻴﺪ ﻳﺎ ‪ Chmod‬ﺁﻧﻬﺎ ﺭﺍ ﺭﻭﻱ ﺻﻔﺮ ﻗﺮﺍﺭ ﺩﻫﻴﺪ‪.‬‬

    ‫‪5‬‬
    ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ ‪CPanel‬‬

    ‫ﺩﺭ ﻛﻞ ‪ Cpanel‬ﻫﻤﻴﺸﻪ ﺧﻮﺩ ﺩﺍﺭﺍﻱ ﻣﺸﻜﻼﺕ ﺑﺴﻴﺎﺭ ﺑﻮﺩﻩ ﺍﺳﺖ ﻭ ﺧﻮﺍﻫﺪ ﺑﻮﺩ ﺍﻳﻦ ﻣﺸﻜﻞ ﺷﺎﻣﻞ ﺗﻤﺎﻡ‬

    ‫ﻧﺮﻡﺍﻓﺰﺍﺭﻫﺎﻱ ‪ 3dparty‬ﻭ ‪ opensource‬ﻣﻲ ﺑﺎﺷﺪ‪ .‬ﺑﻬﺘﺮﻳﻦ ﻛﺎﺭ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ‪ admin‬ﻳﻚ ﺳﺮﻭﺭ‬

    ‫ﺭﻭﺯ ﺑﻪ ﺳﺎﻳﺖ ‪ Security news‬ﺳﺮ ﺑﺰﻧﻨﺪ ﻭ ﺍﺯ ﺍﺧﺒﺎﺭ ﺟﺪﻳﺪ ﺍﻃﻼﻉ ﻳﺎﺑﺪ‪.‬‬

    ‫‪6‬‬
    CPanel ‫ﻣﺮﻭﺭﻱ ﺑﺮ ﺑﺎﮒ‬

    :‫ﻣﻨﺎﺑﻊ‬

    1-http: //www.security focus.com/archive/1/365328


    2-http: //cve.mitre.org/cgi-bin/cvename.cgi?name-CAN-2004-0529
    3-cPanel’s Internal Ticket Request: # 17703 (no public URL)
    4-http: //www.a-squad.com/audit/
    5-http://bugzilla.cpanel.net/show_bug.cgi?id=668

    ‫ ﺩﻳﮕﺮﻱ‬.‫ ﻣﻲ ﺑﺎﺷﺪ‬mod-phpsuexc ‫ ﻣﺸﻜﻞ ﺭﺍ ﺑﺮﺭﺳﻲ ﻛﺮﺩﻳﻢ ﻳﻜﻲ ﻣﺮﺑﻮﻁ ﺑﻪ‬٢ ‫ﺗﻮﺟﻪ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ‬

    ‫ ﺑﺮﺍﻱ ﺍﻃﻼﻋﺎﺕ‬.‫ ﺍﺳﺖ‬mod-php ‫ ﻫﻤﺮﺍﻩ ﺑﺎ‬/usr/local/apach/bin/suexec ‫ﻣﺮﺑﻮﻁ ﺑﻪ‬

    :‫ ﺗﻮﺟﻪ ﻛﻨﻴﺪ‬link ‫ﺑﻴﺸﺘﺮ ﺑﻪ ﺍﻳﻦ‬

    http://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2004-0490

    ‫ﺍﮔﺮ ﺳﻮﺍﻝ ﻳﺎ ﺍﺷﻜﺎﻝ ﻭ ﺍﻳﺮﺍﺩﻱ ﻭﺟﻮﺩ ﺩﺍﺷﺖ ﺑﺎ ﻛﻤﺎﻝ ﻣﻴﻞ ﺩﺭ ﺧﺪﻣﺖ ﺩﻭﺳﺘﺎﻥ ﻭ ﻋﻼﻗﻪﻣﻨﺪﺍﻥ ﻋﺰﻳﺰ ﻣﻲ‬

    .‫ﺑﺎﺷﻴﻢ‬

    ‫ﻓﺮﺷﺎﺩ ﺍﺳﻤﺎﻋﻴﻠﻴﺎﻥ‬

    You might also like