Vulnerability

Note: Due to very simple exploitation technique, whole content was removed. Details might be revealed later.

Affected software: SitePad Website Builder versions below 1.5.4.

SitePad ▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒, which allows unprivileged user to ▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒, which in turn results in root privilege escalation.

Vulnerability is not exploitable inside CloudLinux CageFS due to ▒▒▒▒▒▒ ▒▒▒▒▒, however, thanks to vulnerability fixed with KMODLVE-385, at the time of discovery pretty much every system was vulnerable to CageFS bypass because patched LVE kernel module would require reboot or at least stopping all services to reload LVE module.

Exploit

If You are inside CageFS that is still vulnerable to the bug fixed with KMODLVE-385, just do ls -ld /proc/*/root/tmp - if tmp is owned by root, that path is outside CageFS. In CloudLinux 7 You might need to e.g. execute DirectAdmin plugin and hit exact time the plugin is running. In CloudLinux 8 there is usually an unconfined systemd process running as user. Go to Your home directory outside CageFS with cd /proc/<pid>/root/home/<user> and continue with instructions below.

▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒:

▒▒▒▒▒
▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Next, ▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒:

▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒

Output:

uid=0(root) gid=0(root) groups=0(root),1000(test)

Solution

Update SitePad to version 1.5.4 or later. As workaround, You can ▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒, ▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒ ▒ ▒▒▒ ▒▒▒ ▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒

Timeline

  • 2021-02-15 - Vulnerability reported to vendor.
  • 2021-02-16 - Response from vendor, SitePad 1.5.4 released with vulnerability fixed. According to the vendor, similar vulnerability was reported by Rack911 in Softaculous few hours before my report - more details in ZSA-2021-1.