Privilege Escalation in UAPI function called by cPanel Interface

pwells

• February 22, 2018 21:36

Hi. I am attempting to create a new cPanel (Paper Lantern) interface which runs a shell script as root. The process that I am attempting to use for this is as follows:

• Define interface and call custom UAPI function.
• Build custom UAPI function which calls the Cpanel::AdminBin::Call::call method to escalate privileges.
• Build a custom admin callable module which runs the shell script.

I have developed test code for each of these sections, however have run in to a problem while running the Cpanel::AdminBin::Call::call method. Specifically, I receive the following error: The administrative request failed because of an error (EKEYEXPIRED/127) with output: The adminbin "WbAdmin" in the "WbAdminModule" namespace call to function "ECHO" ended prematurely: The subprocess reported error number 127 when it ended.
Below are each of the relevant code segments (note: these have been somewhat simplified). cPanel interface (755 /usr/local/cpanel/base/frontend/paper_lantern/test-module/test-module.live.php): [PHP]header( "test" ); // Add the header. $test_output = $cpanel->uapi( 'WbTestModule', 'testfunction', array( 'foo' => 'bar', ) ); echo '

';
var_dump( $test_output );
echo '

'; print $cpanel->footer(); // Add the footer. $cpanel->end(); // Disconnect from cPanel - only do this once. ?>[/PHP] cPanel module (644 /usr/local/cpanel/Cpanel/API/WbTestModule.pm) package Cpanel::API::WbTestModule; use strict; use Data::Dumper (); use Cpanel::AdminBin::Call (); our $VERSION = '1.0'; sub testfunction{ # siphon off the input args into a hash my ( $args, $result ) = @_; my ( $arg1 ) = $args->get( 'foo' ); my $val; $val = Cpanel::AdminBin::Call::call( 'WbAdminModule', 'WbAdmin', 'ECHO', $arg1, ); my $err = $@; my $data = { 'err' => $err, 'val' => ref($val) ? Data::Dumper::Dumper($val) : $val, }; $result->data( $data ); return 1; } 1;
Privileged callable module (700 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule) #!/usr/local/cpanel/3rdparty/bin/perl package WbAdminModule::WbAdmin; use strict; use parent qw( Cpanel::AdminBin::Script::Call ); __PACKAGE__->run() if !caller; sub _actions { return qw( ECHO ); } sub ECHO { my ($self, $string) = @_; return $string; } 1;
Note that I do have a WbAdminModule.conf file, created by running: echo mode=full > /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
What am I missing here?

• 

  cPanelMichael

  • February 26, 2018 14:46

  Note that I do have a WbAdminModule.conf file, created by running:

  
  Hello, Could you verify the permissions and ownership values configured on the WbAdminModule.conf file? Also, does it make a different if you adjust it's contents to resemble the following code? EX: mode=full allowed_parents=/usr/local/cpanel/cpanel
  Thank you.

  0
• 

  pwells

  • February 26, 2018 21:02

  Permissions of the conf file were 644 and owned by root:root -rw-r--r-- 1 root root 51 Feb 27 08:57 /usr/local/cpanel/bin/admin/WbAdminModule/WbAdminModule.conf
  I have tried updating the contents to: mode=full allowed_parents=/usr/local/cpanel/cpanel
  This has had no effect. I also tried updating permissions to 700, 770, 777, 600, 660 - none of these worked.

  0
• 

  cPanelMichael

  • February 27, 2018 14:21

  Hello, You are welcome to open a support ticket using the link in my signature so we can take a closer look and verify the functionality is working as intented. We can't troubleshoot the custom code itself, but we should be able to take a general look to see if there are any obvious mistakes in your implementation. Additionally, you can also send end an email to integration@cpanel.net to seek out additional feedback from our Developers. Thank you.

  0

Please sign in to leave a comment.