There’s no question that the omnipresent “forgot your password?” feature has helped numerous clients who’ve lost their password or otherwise forgotten it, however—the tradeoff is that it can result in bugs that offer benefit to bad actors.
As shown in this post, can an intruder use the “forgot your password?” feature to reset a user password and gaining further access to a website that has already been compromised.
Malicious File Used to Access Hosting Environment
One of the examiners found a malicious record on a compromised website’s hosting environment. The malware contained a basic strategy utilized to alter the cPanel user password, which at that point permits them further get to to the hosting plan and its related websites.
For illustration, attackers can make an SSH or FTP client once they have picked up get to the compromised environment. This implies that indeed after the site is cleaned of all malware and the password is reset, they would still be able to utilize the modern SSH or FTP client to re-upload any malicious content removed during the cleanup.
cPanel Password Modification
The problem for attackers is that cPanel’s password hashes are stored in the Linux server /etc/shadow file. By default, this can’t be modified by a malicious file since it would lack the appropriate ownership and permissions.
To successfully modify the password, the attacker needs to be creative and use a different method. One of these methods just so happens to be through changing the contact email address, which is usually accomplished through the cPanel interface after successful authentication.
The issue in this specific “forgot your password?” system is that the contact email address is read from a file within the cPanel user’s directory. Due to its ownership and permissions, it can be readily modified by an attacker using a malicious file.
As you can see from this image, the malicious PHP file is rather basic and simply accepts an input from the user via a submitted POST request.
Updating cPanel Email Addresses
- The contact’s email address can reside in two different locations depending on the configuration of the cPanel server: /home / user/.contactemail and /home / user/.cpanel / contactinfo.
- Once the username has been obtained via get_current_user();, the information from the submitted POST request can then be written to the two contact address file locations (.contactemail and .cpanel/contactinfo).
- After the successful execution of the above malicious script with a specified email address (e.g. email@example.com) in the $POST variable, the two files .contactemail and .cpanel/contactinfo are updated.
- Once the client files.contactemail and .cpanel/contactinfo have successfully written the email address, the malicious user simply needs to submit a “forgot your password?”
- The “forgot your password?” process requires users to access the URL domain.com:2083/resetpass (2083 is the port used for cPanel HTTPS) and provide the username of the cPanel with the corresponding cPanel contact email address that we have just changed.
- The cPanel server then sends a security code to the contact email address that the attacker uses to change the cPanel password and directly access the cPanel after sending that information. After accessing the site, the attacker can easily plant additional backdoor layers (e.g. create additional FTP users).
Conclusion & Mitigation Steps
Some of you may be familiar with the notification settings of cPanel which allow notifications to be sent in the event of specific setting changes — such as a contact email address or a change in user password.
At first glance, this function appears to help warn somebody if an attacker changes the email address of the contact. Nevertheless, only when the adjustment is requested from the Contact Information section of the cPanel client will this specific warning be activated.
- If attackers make changes to the .cpanel/contactinfo file instead of using the previously shown malware, the initial email address of the victim will never be notified. During this adjustment process, secondary contact email addresses configured in this way can also be quietly deleted for the primary contact email address.
- I could not trigger an alert email to be sent to the victim contact email address when the file .cpanel/contactinfo is modified using a function like PHP’s fopen.
- For now, the best way for an average user to defend against this type of password reset attack is to enable 2FA authentication for their cPanel account.
- ‘If you believe that your website has been compromised, we offer a number of free guides and resources to help you clean up a hacked website.