The research, titled “Silent Leaks: Harvesting Secrets from Shared Linux Environments,” demonstrates how basic Linux commands can be weaponized to extract database credentials, API keys, and administrative passwords from neighboring users on the same server.
The vulnerabilities affect major hosting panels, VPS providers, and educational laboratory environments where multiple users share the same Linux infrastructure.
Cernica’s findings reveal that attackers with basic shell access can systematically harvest sensitive information without requiring root privileges or exploiting traditional security vulnerabilities.
The primary attack vector leverages Linux’s default process visibility mechanism through commands like ps auxww and accessing /proc/[pid]/cmdline.
This standard functionality, designed for system transparency and debugging, inadvertently exposes command-line arguments containing sensitive data.
Cernica demonstrated real-world examples where WordPress installations revealed database credentials through command execution: timeout 60 /opt/[REDACTED]/php/8.3/bin/php wp-toolkit/vendor/wp-cli/wpt-wp-cli.php config set DB_PASSWORD 'T3sting123!!'.
Similarly, user creation commands exposed passwords through: sh -c /usr/sbin/useradd t3st2 -d /home/t3st2;echo -e 'T3sting123! T3sting123!'|/usr/bin/passwd t3st2.
The researcher also uncovered MySQL root access credentials through process monitoring: /www/server/mysql/bin/mysql -u root -p88dd296e2086da6e t3st333_t3st1w_io < /tmp/vdRouPtcOisEGIBq/YFQKZmYnVzkbAhxS.sql, demonstrating how database restoration operations leak administrative credentials.
Cernica successfully circumvented several isolation mechanisms, including CageFS and chroot jails implemented by major hosting panels.
The CageFS bypass exploited a hosting panel binary running outside the virtualized environment, while the chroot escape leveraged an undocumented command in a filebrowser component accessible from within the restricted environment.
Most significantly, the researcher discovered a critical vulnerability in LiteSpeed web server configurations where scripts could access shared stderr.log files by reading from /proc/self/fd/2.
This allowed real-time interception of error output from all users on the system, exposing PayPal API tokens (Authorization: Basic QkFBbnd[REDACTED]VVCQQ==), session cookies (JSESSIONID=A11583633[REDACTED]C1BB1A617), and login credentials transmitted through HTTP requests.
The research revealed widespread security issues with temporary file handling in /tmp directories.
Many installation scripts and system processes create world-readable files containing sensitive information that can be monitored in real-time through automated scanning tools.
Examples include hosting panel installation logs revealing administrative passwords: [INFO] Your MySQL root password is: Kr4SdvHyTSoqbvqjYe7c and [INFO] Your [REDACTED] admin password is: yGZ7RBwhvNHA4ZJ.
Database restoration files /tmp/vdRouPtcOisEGIBq/YFQKZmYnVzkbAhxS.sql were temporarily exposed during backup operations, while installation scripts at /tmp/dNtccKKZSr/main.php contained hardcoded credentials accessible to any user.
Cernica reported these vulnerabilities to major hosting providers in early April 2025, with LiteSpeed confirming their fix by April 3rd.
The researcher emphasizes that these “silent leaks” represent a fundamental security assumption problem in multi-user Linux environments, where standard diagnostic tools become reconnaissance vectors for malicious actors seeking lateral movement opportunities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Legitimate System Functions Weaponized to Steal Secrets in Shared Linux Environments appeared first on Cyber Security News.
Blast Blade from Silent Bark games is a 3D platform fighter that puts you behind…
Community members are stocking up on essential supplies as Stateline residents are preparing for another…
Stateline residents recently gathered at 5 Brines Brewery for a bingo event to support Friends…
The Phantom Regiment Drum & Bugle Corps hosted its April Camp at Auburn High School…
State Rep. Dave Vella, D-Rockford, announced a free community paint recycling event in Rockford, Ill.,…
Downtown Freeport hosted its annual Pretzel Fest on April 25, an event organized by the…
This website uses cookies.