DirectAdmin 1.33.6 - Symlink Security Bypass

EDB-ID:

11029

CVE:

N/A

Author:

alnjm33

Type:

local

Platform:

Multiple

Published:

2010-01-06

Subject: DirectAdmin <= 1.33.6 Symlink Permission Bypass
Date: 5/1/21010
Author: alnjm33
Tested on: 1.33.6 -- 1.33.1 and i think it's work in all versions
Home:sec-war.com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::exploit::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
first
must execute this command on the server >>>> ln /etc/shadow
to make symbolic link to shadow file in any dir
after that go to
Create/Restore Backups in direct and make
((Domains Directory: Backs up))
the backup file will be in
/home/test/backups
go there then Extract tar.gz file
after extract
go to
/home/test/backups/domains/test.com/public_html
or the dir which you execute the command
and now you can read the shadow file which have 400 Permission

Greetz to :PrEdAtOr -Sh0ot3R - xXx - Mu$L!m-h4ck3r - ahmadso -JaMbA-RoOt_EgY-jago-dz-XR57 all sec-war.com members<http://sec-war.com/cc//index.php?showuser=36>