DirectAdmin – Privilege Escalation #2 (R911-0028)

Type: Privilege Escalation #2
Impact: Critical
Product: DirectAdmin
Website: http://www.directadmin.com
Vulnerable Version: v1.43
Fixed Version: v1.431
CVE: -
R911: 0028
Date: 2013-06-19
By: http://www.rack911.com

Product Description:

DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.

Vulnerability Description:

There is a flaw within the backup system when combined with the email account function that allows an attacker to use a symlink to gain ownership of any directory, including the /etc directory which would lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against DirectAdmin v1.43.

Fixed Version:

This vulnerability was patched in DirectAdmin v1.431.

Vendor Contact Timeline:

2013-06-09: Vendor contacted via email.
2013-06-10: Vendor confirms vulnerability.
2013-06-10: Vendor issues v1.431 #1 update.
2013-06-19: Rack911 issues security advisory.