Vulnerability

Note: Some details were removed to prevent simple recreation of exploit.

Affected software: DirectAdmin versions below 1.60.4

DirectAdmin ▒▒▒▒▒▒▒▒ ▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒ in all_pre.sh script, which allows for ▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒ and privilege escalation to root through ▒▒▒▒▒▒▒▒▒▒.

Exploit

If server is using /usr/local/directadmin/scripts/custom/all_pre.sh script (other might be affected too, I didn't verify them), even without content, like that:

#!/bin/sh

Then ▒▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ as root.

Example ▒▒▒▒▒▒▒▒▒▒▒▒▒, that executes sleep as root:

▒▒ ▒▒▒▒▒▒ ▒▒▒ ▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒

▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒

▒▒▒▒ ▒▒▒▒▒▒▒
▒
    ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒ ▒ ▒ ▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒
    ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒ ▒ ▒▒▒▒ ▒▒

    ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
    ▒▒▒▒▒▒▒▒▒▒
    ▒▒▒▒▒▒▒▒▒▒
    ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒
▒

Solution

Update DirectAdmin to version 1.60.4 or later. Moving /usr/local/directadmin/scripts/custom/all_pre.sh (and other scripts) out from custom directory can be used as workaround but due to the nature of the vulnerability, it is not 100% safe.

Timeline

  • 2020-02-15 - Vulnerability reported to vendor.
  • 2020-02-16 - Response from vendor and initial fix in pre-release binaries.
  • 2020-02-16 - Reported fix bypass to vendor.
  • 2020-02-17 - Response from vendor and fix in pre-release binaries.
  • 2020-02-27 - DirectAdmin 1.60.4 released with vulnerability fixed.