Note: Some details were removed to prevent simple recreation of exploit.
Affected software: DirectAdmin versions below 1.60.3
DirectAdmin does not perform filtering on mailing list name and can be tricked to perform user controlled write operation as root, allowing for privilege escalation to root.
Assuming we have unprivileged user "ztest", log in to ssh as "ztest" or use e.g. PHP to create directories ▒▒▒▒▒ ▒▒▒▒ ▒▒▒ ▒▒ ▒ ▒▒▒▒▒▒▒▒▒▒ ▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒:
mkdir -p ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒
▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
Then in DirectAdmin go to "Mailing Lists" => "Create Mailing List" and enter list name:
When You click "create", a file should be created:
-rw-rw---- 1 root root 67 Feb 8 18:27 /etc/profile.d/exploit.sh
with the following content:
▒ ▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
/home/ztest/exploit with the following content:
#!/bin/bash id >> /home/ztest/exploit.log
and chmod it to 755. Now, when root user logs in to ssh,
/home/ztest/exploit will be executed as root. Here is the result from
uid=0(root) gid=0(root) groups=0(root),982(mysyslog)
Also, if You provide a path that does not exist (e.g.
none/none), DirectAdmin crashes because in
Email::createList there is a call to
fopen(), and then to
fclose() without checking if
fopen() was successful, so
fclose() is provided with uninitialized pointer to
Update DirectAdmin to version 1.60.3 or later. Disabling ability to create new mailing lists could be used as workaround.
- 2020-02-08 - Vulnerability reported to vendor.
- 2020-02-09 - Response from vendor and initial fix in pre-release binaries.
- 2020-02-09 - DirectAdmin 1.60.3 released with vulnerability fixed.