Vulnerability

Note: Some details were removed to prevent simple recreation of exploit.

Affected software: DirectAdmin versions below 1.60.3

DirectAdmin does not perform filtering on mailing list name and can be tricked to perform user controlled write operation as root, allowing for privilege escalation to root.

Exploit

Assuming we have unprivileged user "ztest", log in to ssh as "ztest" or use e.g. PHP to create directories ▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒ ▒ ▒▒▒▒▒▒▒▒▒▒ ▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒:

mkdir -p ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒

▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Then in DirectAdmin go to "Mailing Lists" => "Create Mailing List" and enter list name:

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

When You click "create", a file should be created:

-rw-rw---- 1 root root 67 Feb 8 18:27 /etc/profile.d/exploit.sh

with the following content:

▒ ▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Create file /home/ztest/exploit with the following content:

#!/bin/bash
id >> /home/ztest/exploit.log

and chmod it to 755. Now, when root user logs in to ssh, /home/ztest/exploit will be executed as root. Here is the result from /home/ztest/exploit.log:

uid=0(root) gid=0(root) groups=0(root),982(mysyslog)

Also, if You provide a path that does not exist (e.g. none/none), DirectAdmin crashes because in Email::createList there is a call to fopen(), and then to fclose() without checking if fopen() was successful, so fclose() is provided with uninitialized pointer to FILE structure.

Solution

Update DirectAdmin to version 1.60.3 or later. Disabling ability to create new mailing lists could be used as workaround.

Timeline

  • 2020-02-08 - Vulnerability reported to vendor.
  • 2020-02-09 - Response from vendor and initial fix in pre-release binaries.
  • 2020-02-09 - DirectAdmin 1.60.3 released with vulnerability fixed.