Before you begin reading the writeup, I had contacted the company who’s server contains the vulnerability and disclosed all the information I had about what I did. Their response was that they didn’t consider it a risk, and weren’t going to be modifying the server security. So I am taking that as a “closed” issue on their end, and I’ll at least write it up.
While trying to determine how secure the server is that I have a website running on, I found an interesting hole. I consider user accounts to be basically half a password when attempting to access a box. If I have a username, then I know half of what I need to know to get in. So I tried testing to see if I could figure out the other user accounts that are on this shared hosting server a website of mine was put on.
I do have SSH and FTP access to the server, as I am a legitimate customer. So I SSHed into the machine, and tried running the “top” command. It returned some server stats and all user accounts that had an active running process. However, the user accounts were not displayed. Only the UID of the account. Also, I was unable to view the home directories of other users as my account was jailed. This would be good.
Then I had an idea. I uploaded a php page that ran the same command and would return the results to the web page. When I browsed to it, I had an unfiltered view of all user accounts on the server that had running processes. It became clear that the “nobody” account was not jailed, and as a result, I was able to make a page that used the nobody account to run the command. It returned all the same information, except this time it had the actual user accounts instead of just the UID.
It was an interesting find, and since the company is not considering this an issue, I figured it wouldn’t hurt to share with the world. Enjoy, and see if you can do the same thing on your servers.