Froxlor DataDump.add() Incomplete Symlink Validation Allows Arbitrary Directory Ownership Takeover
Froxlor versions before 2.3.6 are vulnerable to arbitrary directory ownership takeover via the DataDump.add() function due to incomplete symlink validation, allowing attackers to manipulate file ownership via a malicious symlink.
Froxlor, a server management panel, is vulnerable to an arbitrary directory ownership takeover in versions prior to 2.3.6. The vulnerability stems from an incomplete fix for CVE-2023-6069 related to symlink validation. Specifically, the DataDump.add() function lacks the $fixed_homedir parameter in its call to FileDir::makeCorrectDir(), which is present in other customer-facing API commands. This oversight allows a malicious customer to create a symlink within their web directory that points to an arbitrary directory on the system. When the ExportCron task runs as root, it executes chown -R on the resolved symlink target, effectively changing the ownership of the target directory and its contents to the attacker's user ID and group ID. This can lead to horizontal and vertical privilege escalation, data breaches, and service disruptions. The vulnerability can be triggered via a single API call, and the impact is delayed until the next cron run (typically hourly).
Attack Chain
- Attacker creates a symlink within their web directory (accessible via FTP/SSH) pointing to a target directory (e.g.,
/var/customers/webs/victim_customeror/etc). For example:ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal. - Attacker crafts an API request to
DataDump.add()specifying the path to the created symlink (e.g.,"path":"steal"). - The
DataDump.add()function, located inDataDump.php, callsFileDir::makeCorrectDir()without the$fixed_homedirparameter, bypassing symlink validation. - The API call schedules a
CREATE_CUSTOMER_DATADUMPtask viaCronjob::inserttask(), including the unvalidated path asdestdirin the task data. - The
ExportCron::handle()function executes periodically as root, processing the scheduled data dump tasks. - The
ExportCronexecutes a series of commands includingmkdir -p,tar cfz, andchown -Rwith the attacker-controlleddestdirpath. - The
chown -Rcommand, executed viaFileDir::safe_exec(), resolves the symlink and recursively changes the ownership of the target directory to the attacker's UID and GID. - The attacker now owns the target directory and can modify files, escalate privileges, or disrupt services.
Impact
This vulnerability can have severe consequences: A malicious customer can take ownership of other customer's web files, databases, and email data, leading to data breaches. By targeting system directories like /etc, they can gain root access by modifying system files like /etc/passwd and /etc/shadow. This can lead to full system compromise. The attack requires minimal effort and can be difficult to trace due to the delayed impact. Successful exploitation leads to full read/write access to all files in the targeted directory, as well as potential service disruption.
Recommendation
- Apply the patch provided by Froxlor in version 2.3.6, which corrects the call to
FileDir::makeCorrectDir()inDataDump.add()to include the$fixed_homedirparameter (see fix in advisory). - Deploy the "Froxlor DataDump API Call with Suspicious Path" Sigma rule to detect API calls to
DataDump.add()with potentially malicious paths in web server logs. - Implement the suggested fix in
ExportCron.phpto check if the destination path is a symlink before executingchown -R(see fix in advisory). - Monitor process creation events for the execution of
chown -Rby the root user or the user running the Froxlor cron jobs, with a destination path that may indicate a symlink using the "Froxlor Suspicious chown Execution" Sigma rule.
Detection coverage 2
Froxlor DataDump API Call with Suspicious Path
mediumDetects API calls to DataDump.add with a path containing '..', potentially indicating path traversal, or a path starting with '/'
Froxlor Suspicious chown Execution
highDetects chown command executed by root or a user that runs Froxlor cron jobs with suspicious arguments
Detection queries are available on the platform. Get full rules →