Vulnerability
Affected software: DirectAdmin versions below 1.58.2
DirectAdmin performs file compression with tar as root in user owned directories and can be tricked to overwrite any file in a system. Due to very limited control over file contents, privilege escalation might not be possible or hard to achieve.
During tally, DirectAdmin executes /bin/tar czf /home/USER/domains/DOMAIN/logs/MONTH-YEAR.tar.gz -C /var/log/httpd/domains DOMAIN.log DOMAIN.error.log
as root with destination file inside user-owned directory, which allows user to destroy any file in a system using symlinks.
Exploit
No exploit was created for that vulnerability.
Solution
Update DirectAdmin to version 1.58.2 or later.
Timeline
- 2019-08-22 - Vulnerability reported to vendor.
- 2019-08-22 - Response from vendor and fix in pre-release binaries.
- 2019-08-27 - DirectAdmin 1.58.2 released with vulnerability fixed.