Installatron (DirectAdmin) – Privilege Escalation Vulnerability (R911-0082)

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Installatron
Website: http://www.installatron.com
Vulnerable Version: v9.0.3
Fixed Version: v9.0.4 and v8.0.16
CVE: -
R911: 0082
Date: 2013-10-25
By: Rack911

Product Description:

Installatron is a turn-key, state-of-the-art web application automation solution (also known as an auto installer or script installer) for web hosting control panel platforms.

Once installed on a control panel server, Installatron’s powerful, easy-to-use user-interface integrates seamlessly, enabling instant, one-click installs and upgrades, backups and restores, and other
advanced features for a premier collection of only the best applications on the web.

Vulnerability Description:

Installatron on DirectAdmin can use the system cURL binary that allows an attacker to manipulate the output using a malicious config file which could lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Installatron v9.0.3 for DirectAdmin and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Installatron v9.0.4 and 8.0.16.

Vendor Contact Timeline:

2013-10-21: Vendor contacted via email.
2013-10-21: Vendor confirms vulnerability.
2013-10-21: Vendor issues v9.0.4 and v8.0.16 update.
2013-10-25: Rack911 issues security advisory.