This exploit leverages a symlink permission bypass in DirectAdmin <= 1.33.6 to read the /etc/shadow file by creating a symbolic link and then using the backup functionality to extract the file. The attack relies on the backup process following symlinks without proper permission checks.
Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:DirectAdmin <= 1.33.6
Auth required
Prerequisites:Access to the server to create a symlink · Access to DirectAdmin's backup functionality