cPanel Root CSRF: Round 3
Readers who have been with me from the beginning (as well as the guy that read my entire site yesterday) will recall that last fall, I posted several XSS and CSRF vulnerabilities with the cPanel WHM interface. Essentially, these vulnerabilities would allow me, as an attacker, to root a cPanel server simply by having an authenticated administrator browse my website. At the time, the vendor did not respond to my vulnerability reports, and the problems went unfixed until I resubmitted them to Secunia in February.
cPanel finally took action, fixing the XSS hole that I had found. However, the CSRF issues (which were much more critical in this case) were ignored. Their response to these issues was that CSRF can be prevented using the "XSRF Protection" feature in the WHM administration interface. I double checked and sure enough, there was such a feature. It was obscure, disabled by default, nowhere to be found on the cPanel documentation pages and FAQ (which ironically has its own XSS holes), and had verbage next to it that would discourage most administrators from enabling the feature. Essentially, cPanel treats these critical CSRF holes as a feature:
I didn't have all that much time to look into it until today, when I decided to actually test this feature. Digging into the code, the first thing I noticed was that all the "XSRF Protection" does is check the referrer that your browser sent- if it doesn't match one of the known domains for the server, the requested action is not allowed to take place.
The first way around this was obvious. If your browser does not send any referrer, the XSRF protection does not kick in. Referrers can be suppressed several ways, but the first one that comes to mind for me is SSL. Many browsers will not send referrers when coming from an SSL page. This morning, I wrote a proof of concept that bounces the user off an SSL-encrypted open redirect (there's plenty of them out there). A few tests with the latest version of cPanel confirmed that Firefox 3 does not send a referrer, and the XSRF Protection feature had no effect.
Assuming that the browser did send referrers, there are still plenty of ways to bypass it. The next thing that comes to mind is simply using a domain on the whitelist to execute the attack. With a few hundred users on most cPanel servers, finding an open redirect, file upload, XSS, or cross-site framing hole is usually trivial. If you combine that with the mod_userdir attacks I posted last week, you can increase the effectiveness of this attack even further.
The next idea I had was to add my domain to the list of allowed domains. It requires access to a local account on the server (legitimately or not), but any user can add extra domains and subdomains to his site- subdomains which are considered "allowed" by cPanel. This provides yet another effective way to avoid the XSRF protection feature.
The back end code for the cPanel interface is an absolute mess- it's amazing that it works as well as it does. Not just the WHM interface, but the entire package is vulnerable to CSRF and XSS attacks at nearly every level. This software manages hundreds of thousands of websites.
This is bad.
But preventing CSRF would break your third party billing software, so we should probably allow it by default. That's a great idea.
cPanel finally took action, fixing the XSS hole that I had found. However, the CSRF issues (which were much more critical in this case) were ignored. Their response to these issues was that CSRF can be prevented using the "XSRF Protection" feature in the WHM administration interface. I double checked and sure enough, there was such a feature. It was obscure, disabled by default, nowhere to be found on the cPanel documentation pages and FAQ (which ironically has its own XSS holes), and had verbage next to it that would discourage most administrators from enabling the feature. Essentially, cPanel treats these critical CSRF holes as a feature:
I didn't have all that much time to look into it until today, when I decided to actually test this feature. Digging into the code, the first thing I noticed was that all the "XSRF Protection" does is check the referrer that your browser sent- if it doesn't match one of the known domains for the server, the requested action is not allowed to take place.
The first way around this was obvious. If your browser does not send any referrer, the XSRF protection does not kick in. Referrers can be suppressed several ways, but the first one that comes to mind for me is SSL. Many browsers will not send referrers when coming from an SSL page. This morning, I wrote a proof of concept that bounces the user off an SSL-encrypted open redirect (there's plenty of them out there). A few tests with the latest version of cPanel confirmed that Firefox 3 does not send a referrer, and the XSRF Protection feature had no effect.
Assuming that the browser did send referrers, there are still plenty of ways to bypass it. The next thing that comes to mind is simply using a domain on the whitelist to execute the attack. With a few hundred users on most cPanel servers, finding an open redirect, file upload, XSS, or cross-site framing hole is usually trivial. If you combine that with the mod_userdir attacks I posted last week, you can increase the effectiveness of this attack even further.
The next idea I had was to add my domain to the list of allowed domains. It requires access to a local account on the server (legitimately or not), but any user can add extra domains and subdomains to his site- subdomains which are considered "allowed" by cPanel. This provides yet another effective way to avoid the XSRF protection feature.
The back end code for the cPanel interface is an absolute mess- it's amazing that it works as well as it does. Not just the WHM interface, but the entire package is vulnerable to CSRF and XSS attacks at nearly every level. This software manages hundreds of thousands of websites.
This is bad.
But preventing CSRF would break your third party billing software, so we should probably allow it by default. That's a great idea.
Edit: cPanel did, in fact, mention the XSRF Protection feature on their blog about a year ago. This post calls the CSRF issues "security issues, which range in severity from trivial to medium-critical"Labels: 0-Day, cPanel, CSRF, Exploits, Root, Shared Hosting, Web Applications, XSS
posted by mckt at
3:14 PM
4 Comments:
Do you not consider this to be a browser based issue? It certainly isn't cPanel-specific in any way.
Sharing authenticated HTTPS sessions between tabs/windows of a browser (and not child windows) is surely asking for trouble.
Maybe direct this to FF devs instead.
By
Anonymous, At
April 7, 2009 8:47 AM
Are you kidding me? Sharing HTTPS sessions is not a problem. It's not that hard to protect against CSRF, you just can't do it with referrers. All it takes is an unpredictable session token embedded in the forms- verify it before processing form input and nobody can spoof the form.
It's common knowledge that referrers aren't usually sent form HTTPS pages- nor should they be.
This is a cPanel issue- their XSRF Protection does nothing to protect against XSRF.
By
mckt, At
April 7, 2009 8:52 AM
I never said it was not easy to protect against.
What I did suggest is that the very nature of sharing HTTPS sessions between browser windows which are _not_ in a parent/child relationship is an very bad idea.
Yes, cPanel should probably have protection against the exploits. But this is not an issue of their making, it's an issue of browser security. Putting the blame solely on cPanel makes it look like you have an axe to grind (which, btw, reading the rest of your posts seems pretty much confirmed).
By
Anonymous, At
April 22, 2009 1:04 PM
I understand your point, and I'll concede that it's a good one. Indeed, sharing HTTPS (or even HTTP) sessions between browser windows without a direct relationship is a bad idea, and something that should be fixed. I'll have a bit of time this weekend, and will look into solutions for doing just that.
All that said, I still think that fixing this problem is cPanel's responsibility- the nature of HTTP sessions and web browsers was old news long before WHM existed. CSRF exploits are not exactly cutting-edge, and cPanel should be able to at least build a working "XSRF Protection" feature.
As far as having an axe to grind, I won't argue that point. cPanel has a massive install base, and the way that they have hacked together their web interface, along with the general poor security practices used therein, is simply irresponsible. Their website says: "cPanel and WHM includes the latest technologies to help keep your server secure." Meanwhile, they have several unpatched, publicly known security issues.
I suppose I do have an axe to grind, but only because blatantly false advertising coupled with an uncaring attitude towards security on such a widely installed application frustrates and irritates me. I know I'm not alone in this, either. I sent advisories to a handful of hosting companies before publishing this post, and the general response I got back was in line with my own feelings.
By
mckt, At
April 24, 2009 6:20 AM
Post a Comment
<< Home