Major DirectAdmin exploit!!

Y

Ywa

Verified User
Joined
Feb 4, 2010
Messages
37
Location
The Netherlands
Hi everyone,

I tested this on several public DirectAdmin hosts. This exploit worked on all of them.

Possibilities with exploit
  • Read outgoing mails on random domainnames
  • Capture passwords
  • Fake/override subdomains

How does this exploit work
1. Retrieve a domainname on your host (which you don't got in your account) (ex: mydomainname.com)
2. Create a new domainname in your account: yougothacked.mydomainname.com
3. Wait till the DNS is updated. Visit http://yougothacked.mydomainname.com (this is an example) and it'll forward to your account instead of the legitimate owner's account.

I know this is a normal feature. But on public hosts it can be abused since DA doesn't check if you own the original domain name on the host.

This can be even more abused by creating ftp.mydomainname.com (intercept FTP transactions) and mail.mydomainname.com (read outgoing mails) etc. etc.

Another possibility is to override existing subdomains, although I need to test that more.

I'm sure I'm not the first to find out. But it can be abused!!

- Ywa

Fix: http://www.directadmin.com/features.php?id=925 (this is disabled on default!)
 
Last edited:
Yes it was fixed over a year ago. It is always up to system administrators to keep up with security and decide whether to implement them or not.

* Read outgoing mails on random domainnames
* Capture passwords
Click to expand...

I do not see how you can do any of those things.
 
One problem with using the fix is that with it implemented you can't set up a subdomain as a different user, which means that you can't have a different IP# for a subdomain.

Note that this isn't a DirectAdmin exploit; it's got nothing to do with anything the control panel does. To some extent it's actually a bug in how BIND works which I reported years ago:

According to RFCs DNS shouldn't resolve a subdomain on a nameserver unless there are NS records for it in the main zone file for the domain.

I got shot down by isc.org (publishers of BIND); they said it was a feature not a bug.

Of course if they fixed it, and then if DirectAdmin set a workaround to allow any user of a new subdomain to change the original zone file, that would be a bug.

Jeff
 
You must log in or register to reply here.
Back
Top