CPanel - Privilege Escalation

.:: DESCRIPTION ::.

cPanel is the industry leader for turning standalone servers into a fully automated point-and-click hosting platform. Tedious tasks are replaced by web interfaces and API-based calls. cPanel is designed with multiple levels of administration including admin, reseller, end user, and email-based interfaces. These multiple levels provide security, ease of use, and flexibility for everyone from the server administrator to the email account user.

.:: SUMMARY ::.
Affected Version: 11.24.5-RELEASE
Tested Platform: Linux

Default CPanel security settings would restrict virtual host users to execute or view files under their own privileges, UID, GID, and permissions. A vulnerability has been discovered in CPanel which allows users to execute or view files under the privilege of the web server which is normally "nobody".

.:: DETAILS ::.
Not available to the public or to the users with basic VIA Agent's subscription.

.:: IMPACT ::.
By escalating to the privilege of the web server, an attacker can view any file or control any process that is owned by user "nobody". In a normal setup of shared hosting with CPanel, user and group nobody are allowed to read and view files of all CPanel virtual hosting users.

.:: AUTHOR ::.
Phuong Nguyen