cPanel Backup Symlink Exploit

Be careful restoring full cPanel backups from untrusted sources (outside of your own server/cpanel ecosystem), as there’s a potential for user to have modified the backup using linux symlinks to gain access to other users accounts when restored.

One way (of many variations) you can check a backup from the command line as follows:-

tar -ztvf archive.tar.gz | grep ‘ -> ‘ |grep -v public_html

cPanel are creating a new backup system to deal with untrusted backups as a priority. There’s many more plugins available nowadays which allow the user to restore thier own backups, I find it quite surprising cPanel have only clarified why WHM doesn’t come with user restore…this far down the line.

You can read more about this here:-

Funny enough, the Apache Booster developer wrote a much better explanation of another exploit. ( Thanks fella.

In WHM, there is a feature  “restore account”  which is used to restore a full account backup. Normal users can generate the backup  from cPanel and  It contains all the information for an account including the files and  meta data.

One of the meta data items is MySQL grants which is located inside the backup file. When you are restoring the account using WHM UI or restorepkg command, the mysql meta file will be restored as root user.
Now you may be thinking that there’s nothing wrong, and everything looks normal. But this is really really bad because you can embed arbitrary commands in SQL files and those commands will execute when the file is restored as  root user. Let me explain it.

root@server1 [/home/prajith]# cat mysql.sql ! id root@server1 [/home/prajith]# mysql < mysql.sql uid=0(root) gid=0(root) groups=0(root) root@server1 [/home/prajith]

so we can insert any linux commands to mysql meta file and this will be execute as root while restoring the account.

Here is an example:

  GRANT USAGE ON *.* TO 'whmtest'@'localhost' IDENTIFIED BY PASSWORD '*A4E12252EACEA5A79<XXXXX>E11D47296FE237D5897'g system /etc/.my.cnf >> /tmp/test.txt;
GRANT ALL PRIVILEGES ON `whmtest_pop`.* TO 'whmtest'@'localhost';

while restoring the account,  mysql will execute the linux commands using system function and the output will be saved to /tmp/test.txt and later we can read this file using http request. so don’t restore the backup from untrusted source :D