syscp1215-exec.txt
Posted on 08 February 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The System Control Panel www.SysCP.org -= Security Advisory =- Advisory: Ability to inject and execute any code as root in SysCP Release Date: 2007/02/02 Last Modified: 2007/02/07 Author: Florian Lippert <florian.lippert@syscp.org> Application: SysCP <= 1.2.15 Severity: Arbitrary code execution Risk: Critical Status: Patch and new release provided Overview: SysCP, the System Control Panel is a server administration tool which enables an internet service provider to give their customers a web-based application to administrate their email addresses, their subdomains etc. Two security issues, both making a remote code execution possible, were discovered recently: 1) Within the panel, a customer can inject any malicious code which will be executed by the cronjob, which runs as super user. This security issue was discovered by Daniel Schulte <daniel@byteways.de> and only affects SysCP 1.2.15 2) With having access to the syscp-database one could insert any file to be executed into panel_cronscript table. This security issue was discovered by Martin Burchert <eremit@syscp.org> and affects all SysCP releases from 1.2.3 up to 1.2.15. Details: 1) It's possible for a customer to create a directory-structure like "; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls " inside his homedir. If the customer tries to protect this directory with the control panel, the cronscript will execute this command as root and the customer has the MySQL-root-password inside his ftp-directory. 2) If an attacker has access to the database he could add any php file to the table 'panel_cronscript', for example one that he uploaded into his dir and which adds a new root-user or installs a backdor etc. Due to not validating or restricting the files which are "include_onced" on scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be executed as the user which also executes the cronscript, normally root. Recommendation: For security issue #1 patch your installation with the provided patch (http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to SysCP 1.2.16, which fixes both security issues. GPG-Key: pub 1024D/5B97D56B 2007-02-07 Florian Lippert <flo@syscp.org> Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B EOF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy dP3ag9i/r99Yvs7Dk4JNgDI= =cqyF -----END PGP SIGNATURE-----