ZSA-2019-9 - DirectAdmin user logfiles compression system files overwrite

Details: Created: 01 December 2019; Last Updated: 31 May 2020

Vulnerability

Affected software: DirectAdmin versions below 1.58.2

DirectAdmin performs file compression with tar as root in user owned directories and can be tricked to overwrite any file in a system. Due to very limited control over file contents, privilege escalation might not be possible or hard to achieve.

During tally, DirectAdmin executes /bin/tar czf /home/USER/domains/DOMAIN/logs/MONTH-YEAR.tar.gz -C /var/log/httpd/domains DOMAIN.log DOMAIN.error.log as root with destination file inside user-owned directory, which allows user to destroy any file in a system using symlinks.

Exploit

No exploit was created for that vulnerability.

Solution

Update DirectAdmin to version 1.58.2 or later.

Timeline

2019-08-22 - Vulnerability reported to vendor.
2019-08-22 - Response from vendor and fix in pre-release binaries.
2019-08-27 - DirectAdmin 1.58.2 released with vulnerability fixed.