cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Support AtomiCorps Trusted Path Inclusion

Chris Borsheim shared this idea 6 years ago
Open Discussion

https://www.atomicorp.com/wiki/index.php/TPE

ASL is blocking with their Trusted Path Execution (TPE) feature is that the Mailman binary executable files that Apache runs via suEXEC and the /usr/local/cpanel/3rdparty/mailman/cgi-bin/ folder that contains them are owned by an unprivileged non-root user Basically /usr/local/cpanel/3rdparty/mailman and everything underneath it is owned by mailman:mailman, therefore anything running as the mailman user can modify the contents of these folders including the executable files which are run by Apache.ASL is configured so that any process running as a user in the "untrusted" group" can only run executable files which are owned by root and in a directory owned by root.This stops an attacker from overwriting an existing executable file or adding a new executable file to a vulnerable directory and then running it via software running in the "untrusted" group such as Apache. Please see https://www.atomicorp.com/wiki/index.php/TPE for AtomiCorp's explanation of the TPE feature.In this case, someone gaining access to the unprivileged "mailman" user could either replace any of the existing executable binary files in /usr/local/cpanel/3rdparty/mailman/cgi-bin/ with their own malicious files as those executable binary files are all owned by mailman:mailman or they could upload new executable binary files into this folder as the folder itself is owned by mailman:mailman.Once a malicious binary is in the /usr/local/cpanel/3rdparty/mailman/cgi-bin/ folder, it can then be executed by Apache from any domain on the server by using the /mailman ScriptAlias and thus is a significant security risk.All other executable files under /usr/local/cpanel/3rdparty/ such as those in /usr/local/cpanel/3rdparty/bin/, /usr/local/cpanel/3rdparty/php/54/bin, /usr/local/cpanel/3rdparty/perl/514/bin and /usr/local/cpanel/3rdparty/libexec/ are all owned by either the "root" or "bin" users, which are trusted system users and therefore don't represent a security problem and aren't blocked by TPE.The only executable files which I can find under /usr/local/cpanel/3rdparty/ that are not owned by root:root or bin:bin are in subdirectories of the /usr/local/cpanel/3rdparty/mailman/ folder and are owned by mailman:mailman, see:[root@hostname user]# find /usr/local/cpanel/3rdparty/ -type f -executable | xargs ls -lah | grep -v "root[[:space:]]\+root" | grep -v "bin[[:space:]]\+bin"-rwxr-xr-x 1 mailman mailman 7.9K Feb 26 03:48 /usr/local/cpanel/3rdparty/mailman/bin/add_members-rwxr-xr-x 1 mailman mailman 6.0K Feb 26 03:48 /usr/local/cpanel/3rdparty/mailman/bin/arch-rwxr-xr-x 1 mailman mailman 2.6K Feb 26 03:48 /usr/local/cpanel/3rdparty/mailman/bin/b4b5-archfix-rwxr-xr-x 1 mailman mailman 6.1K Feb 26 03:48 /usr/local/cpanel/3rdparty/mailman/bin/change_pw

Leave a Comment
 
Attach a file