Knowledgebase
Portal Home > Knowledgebase > Articles Database > Zamfoo - ACL Bypass Vulnerability (Uninstall Instructions)
Zamfoo - ACL Bypass Vulnerability (Uninstall Instructions)
Posted by Patrick, 06-17-2013, 12:35 PM Product Description: The ZamFoo software suite is a series of WHM plugin modules (also known as WHM addon modules) catered towards easing the burden of web hosting providers that sell shared hosting solutions using the Cpanel and WHM hosting platform. Hundreds of companies use our software to create Alpha WHM and create Master WHM hosting accounts. Vulnerability Description: Due to a series of ACL failures, a reseller user can access numerous files belonging to Zamfoo under WHM to tamper with various settings designed for root and in some cases render the server inoperable. Proof of Concept: Another security researcher has already issued a working proof of concept, so we do not see the need to include one in this advisory. Impact: We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can render the server (ssh / su) inoperable by removing the limits.conf file. Vulnerable Version: This vulnerability was tested against Zamfoo v11.7 and is believed to exist in all versions. Fixed Version: It took the developer two weeks to come up with a patch and we have determined that the patch does not work and that this flaw is still present in the software. Additionally, it has been brought to our attention that several more root level exploits are present in Zamfoo so we must urge everyone to uninstall this software: cd /root wget http://www.zamfoo.com/downloads/zamfoo_uninstaller.tar tar -xvf zamfoo_uninstaller.tar chmod +x uninstall.cgi ./uninstall.cgi Just to be sure: rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo Vendor Contact Timeline: 2013-05-31: Vendor contacted via email. 2013-06-03: Vendor contacted via email again. 2013-06-03: Vendor confirms vulnerability. 2013-06-13: Vendor contacted via email seeking update. 2013-06-13: Vendor states a patch is "to be" worked on, 2013-06-13: Rack911 issues warning to disable software. 2013-06-13: Vendor threatens to sue. 2013-06-15: Vendor issues patch two weeks from initial contact. 2013-06-15: Rack911 defeats patch within 5 minutes. 2013-06-17: Rack911 issues a general security advisory. Last edited by bear; 07-09-2013 at 08:03 AM.
Add to Favourites 
Print this Article
Also Read
