[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1639995111.20060521185739@Zoller.lu>
Date: Sun, 21 May 2006 18:57:39 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: cert@...t.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
<news@...uriteam.com>, <submissions@...ketstorm.org>, <news@...unia.de>
Subject: [TZO-072006]-Xampp - Multiple Priviledge
Escalation (SYSTEM) and Rogue Autostart
_______________________________________________________________________
XAMPP - Multiple Priviledge Escalation and Rogue Autostart
_______________________________________________________________________
Ref : TZO-072006-Xampp
Author : Thierry Zoller
WWW : http://secdev.zoller.lu
Article : http://secdev.zoller.lu/research/xamp1.htm
I. Background
~~~~~~~~~~~~~
XAMPP is an easy to install Apache distribution containing MySQL, PHP
and Perl. XAMPP is really very easy to install and to use - just
download, extract and start. In the FAQ we read : Xampp is not meant
for production use but only for developers in a development
environment. However I have seen it being used in production
environments quite a lot,hence this advisory.
According to the download stats, Xampp has been downloaded 2.765.443
times between 2003 and 2006
[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path
specification - CVSS Rating : 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path
specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
- CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution
- CVSS Rating : 2.8
II. Details
~~~~~~~~~~~~~
[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The path specified in the service image is not being quoted :
As such as soon as the service is started, the Path not being quoted,
c:\program.exe is executed with NT/SYSTEM rights (The one the
filezillaftp service would have had). If we create a program named
c:\program.exe that shells NETCAT (and mysql) which spawns a shell
to a remote host, we have SYSTEM acces remotely.
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The MYSSQLAdmin 1.4 console comes with a messed up configuration
file, first the "/" character instead of "\"is used to indicate
the path to the executable, furthermore the path is not quoted,
resulting in yet another priviledge escalation situation, if
the user launches the Mysql Admin console.
As the user clicks "Admin.." to launch the MySqlAdmin interface, the
Path not being quoted in the configuration file , c:\program.exe
is executed with NT/SYSTEM rights.
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a
CGI script over http.
As the user clicks on the Status link inside the control panel
or executes a CGI program with the same path specified ,
c:\program.exe is executed with NT/SYSTEM rights if apache
runs as a service.
[4] Rogue Autostart due to unsecure File execution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
During Startup, the installer executes the xampp control panel
through the use of the CreateProcess() function. By doing so
it omits to set the 'lpApplicationName' variable and further
omits to quote the path in the variable "lpCommandLine". Ref [1]
This results in c:\program.bat|exe|com being called prior to
xamppcontrol.exe and allows automatic startup of a potentially
rogue application.
III. Vendor Response
~~~~~~~~~~~~~~~~~~~~
http://www.apachefriends.org/en/news-article,75557.html
[06/May] Vendor Contact
[07/May] Vendor Response
[09/May] The current Windows beta fixes two of the problems based on
this bug. We expect the next beta soon which will fix all
four problems.
[10/May] The new Windows beta now fixes all problems.
IV. MISC
~~~~~~~~~~~~~~~~~~~~
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists