Vulnerability

Affected software: DirectAdmin versions below 1.58.2

DirectAdmin performs unsafe operations as root on user owned files during owner reset through file manager and can be tricked to chown any file in a system to user, allowing for privilege escalation to root.

When /CMD_FILE_MANAGER/file?action=resetowner&method=recursive is executed by DirectAdmin, it performs lchown() without safely iterating over path using openat() with O_NOFOLLOW flag and using fchownat() with AT_SYMLINK_NOFOLLOW flag. It could be tricked to lchown() root-owned files if directory above would be swapped to a symlink. Here is the attack vector:

4169489 15:40:34.055387 lstat("/home/ztest/.php/php-mail.log", {st_dev=makedev(253, 0), st_ino=32112882, st_mode=S_IFREG|0660, st_nlink=1, st_uid=1013, st_gid=1000, st_blksize=4096, st_blocks=0, st_size=0, st_atime=2019/08/20-00:1 1:24.096091914, st_mtime=2019/08/20-00:11:24.096091914, st_ctime=2019/08/20-00:11:24.096091914}) = 0
<=== attack vector
14726 4169489 15:40:34.055467 lchown("/home/ztest/.php/php-mail.log", 1013, 1020) = 0

Exploit

No exploit was created for that vulnerability.

Solution

Update DirectAdmin to version 1.58.2 or later.

Timeline

  • 2019-08-22 - Vulnerability reported to vendor.
  • 2019-08-22 - Response from vendor and fix in pre-release binaries.
  • 2019-08-27 - DirectAdmin 1.58.2 released with vulnerability fixed.