Shared Hosting
Shared HostingKnowledgebase
Portal Home > Knowledgebase > Articles Database > Installatron (DirectAdmin) - Privilege Escalation Vulnerability (R911-0082)
Installatron (DirectAdmin) - Privilege Escalation Vulnerability (R911-0082)
 |
 |
 |
Posted by Patrick, 10-25-2013, 07:34 AM Product Description: Installatron is a turn-key, state-of-the-art web application automation solution (also known as an auto installer or script installer) for web hosting control panel platforms. Once installed on a control panel server, Installatron's powerful, easy-to-use user-interface integrates seamlessly, enabling instant, one-click installs and upgrades, backups and restores, and other advanced features for a premier collection of only the best applications on the web. Vulnerability Description: Installatron on DirectAdmin can use the system cURL binary that allows an attacker to manipulate the output using a malicious config file which could lead to a root compromise. Proof of Concept: Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date. Impact: We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained. Vulnerable Version: This vulnerability was tested against Installatron v9.0.3 for DirectAdmin and is believed to exist in all prior versions. Fixed Version: This vulnerability was patched in Installatron v9.0.4 and 8.0.16. Vendor Contact Timeline: 2013-10-21: Vendor contacted via email. 2013-10-21: Vendor confirms vulnerability. 2013-10-21: Vendor issues v9.0.4 and v8.0.16 update. 2013-10-25: Rack911 issues security advisory.
Add to Favourites 
Print this Article
Also Read
