DirectAdmin - exploit.company

vendor:

DirectAdmin

by:

alnjm33

7,5

CVSS

HIGH

Symlink Permission Bypass

264

CWE

Product Name: DirectAdmin

Affected Version From: 1.33.6

Affected Version To: 1.33.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2010

DirectAdmin <= 1.33.6 Symlink Permission Bypass

A vulnerability in DirectAdmin <= 1.33.6 allows an attacker to bypass the permissions of the /etc/shadow file by creating a symbolic link to it in any directory. The attacker can then extract the backup file located in /home/test/backups/domains/test.com/public_html and read the shadow file which has 400 permission.

Mitigation:

Ensure that the permissions of the /etc/shadow file are properly configured and that the file is not accessible to unauthorized users.

Source

Exploit-DB raw data:

Subject: DirectAdmin <= 1.33.6 Symlink Permission Bypass
Date: 5/1/21010
Author: alnjm33
Tested on: 1.33.6 -- 1.33.1 and i think it's work in all versions
Home:sec-war.com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::exploit::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
first
must execute this command on the server >>>> ln /etc/shadow
to make symbolic link to shadow file in any dir
after that go to
Create/Restore Backups in direct and make
((Domains Directory: Backs up))
the backup file will be in
/home/test/backups
go there then Extract tar.gz file
after extract
go to
/home/test/backups/domains/test.com/public_html
or the dir which you execute the command
and now you can read the shadow file which have 400 Permission

Greetz to :PrEdAtOr -Sh0ot3R - xXx - Mu$L!m-h4ck3r - ahmadso -JaMbA-RoOt_EgY-jago-dz-XR57 all sec-war.com members<http://sec-war.com/cc//index.php?showuser=36>