Background
----------
cPanel & WebHost Manager (WHM) is a next generation web hosting control
panel system. Both cPanel & WHM are extremely feature rich as well as
include an easy to use web based interface (GUI). The cPanel demo account
feature creates a restricted username/password to the cPanel web interface
which the reseller often then provides on their web site, inviting potential
customers to try out the cPanel interface. Most of the cPanel interface is
disabled in the demo mode to prevent anonymous users from uploading
potentially dangerous content or otherwise causing a problem.

Problem
-------
Since the cPanel demo user is created a real local user, shell access
through SSH is possible. The demo account however is restricted by using a
shell that displays a message indicating that the SSH is disabled and not
allowing any commands to be used. It is possible to set up SSH port
forwarding and login without invoking the shell, essentially giving
anonymous users the ability to harness the server for proxying to local and
remote destinations, bypassing IP based authentication to localhost (some
SMTP servers regard 127.0.0.1 as authenticated for example) and other likely
malicious actions.

It is very likely the same problem also applies to local users who have not
been granted explicit shell access, although the impact is slightly lessened
as one might expect local users are not out to abuse their own shared web
hosting server.

Exploit
-------
Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to
it using the provided username and password and set up some port forwarding.

Solution
--------
Turn off the demo account feature and delete any demo accounts. As an
additional measure, turn off SSH port forwarding or specify explicitly which
users are allowed SSH access in the sshd config, do not rely on a restricted
shell to prevent users from being able to use other SSH features. I'd never
recommend anyone use the cPanel/WHM demo account feature at all, they are
both very risky. Even the WHM demo hosted on cPanel's own server allowed
remote root at one point in time.

A note to vendors: please make it easy to report bugs. cPanel had a nice
anonymous bug reporting form and status checking system last time I reported
a bug, now it is replaced with BugZilla which requires spending time
registering which personally I'm not going to be bothered with for reporting
one bug.

Richard Stanway
http://www.r1ch.net/

Technical articles: http://shsc.info/