DirectAdmin <= 1.33.1 Symlink Permission Bypass Vuln (untested)

===============================================================
DirectAdmin <= 1.33.1 Symlink Permission Bypass Vuln (untested)
===============================================================



                
	/H\	/T\          |T-HHHHHHH-T|	 HHHHHHHHHH|   HHHHHHHHHH|
	H-T	H-T           \T-HHHHH-T/	 HHHHHHHHH/    HHHHHHHHH/
	H-T	H-T               H-T	         H-T           H-T
	H-THHHHHH-T   /HHHHH\     H-T	         H-T           H-T
	H-THHHHHH-T   THHHHHT     H-T	         H-T           H-T
	H-T	H-T   \HHHHH/     H-T	         H-T           H-T
	H-T	H-T               H-T	         H-T           H-T	
	H-T	H-T               H-T      /H\   HHHHHHHHH\    HHHHHHHHH\
	\H/	\T/               H-T      \T/   HHHHHHHHHH|   HHHHHHHHHH|



DirectAdmin <= 1.33.1 Permission Bypass UID="0"

Auther  : S4S-T3rr0r!sT
.....................................

As known that the DirectAdmin Control Panel is better than Cpanel ..
But this is a vuln on it .. 0-day

First :

Exploiter should execute any command on the host .. use the 'ln' command for make a symbolic link

example :

In The root path => /home/attackeruser/domains/attackersite.com/public_html/

Execute :
ln /etc/shadow

After that Go to The Control Panel

https://attackersite.com:2222/CMD_FILE_MANAGER/domains/attackersite.com/public_html/shadow

Its now should be the same as attackersite.com Permission

You can read the shadow and see all server users hashs

Also its runs on the other users of server ..
.....................................





#  0day.today [2018-03-16]  #