Kloxo HostInABox 575 - local users can take control of any file or directory



DESCRIPTION


Local users can take control over any file on the host when adding a domain. This is done via a symlink attack.



IMPACT


Local users could obtain root privileges.

Observe the following from the /usr/local/lxlabs/kloxo/log/shell_exec log when an account is created:

13:46 May/18/2009: 0:  [(__system__:/usr/local/lxlabs/kloxo/httpdocs) 'chmod'  '0755' '/home/clientname/example.com']
13:46 May/18/2009: 0:  [(__system__:/usr/local/lxlabs/kloxo/httpdocs) 'chown'  '-R' 'clientname:clientname' '/home/clientname/example.com']

All the user needs to do is symlink example.com to the resource they want to take control of, then add the domain. This will give the resource permissions of 755, user:group user:apache:

[user1@testing574 user1]$ ls -l /etc/shadow
-rwxr-xr-x 1 user1 apache 1415 May 19 17:05 /etc/shadow

This also works when adding subdomains.