exploit the possibilities

Wampserver 3.0.6 Privilege Escalation

Wampserver 3.0.6 Privilege Escalation
Posted Dec 26, 2016
Authored by Heliand Dema

Wampserver version 3.0.6 suffers from an insecure file permissions privilege escalation vulnerability.

tags | exploit
MD5 | 5706d2f1bcd9a9c57340694723d5d1af

Wampserver 3.0.6 Privilege Escalation

Change Mirror Download

=====================================================
# Vendor Homepage: http://www.wampserver.com/
# Date: 10 Dec 2016
# Version : Wampserver 3.0.6 32 bit x86
# Tested on: Windows 7 Ultimate SP1 (EN)
# Author: Heliand Dema
# Contact: heliand@cyber.al
# CVE: 2016-10031
=====================================================

Wampserver installs two services called 'wampapache' and 'wampmysqld'
with weak file permission running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local user
to execute arbitrary code with elevated privileges on the system.

C:\>sc qc wampapache
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: wampapache
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
"c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe" -k runservice
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : wampapache
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem



PS C:\> icacls c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe
c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe
BUILTIN\Administrators:(I)(F) <--- Full Acces
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated
Users:(I)(M) <--- Modify


C:\Windows\system32>sc qc wampmysqld
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: wampmysqld
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe wampmysqld
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : wampmysqld
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


PS C:\> icacls c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe
c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe
BUILTIN\Administrators:(I)(F) <--- Full Acces
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated
Users:(I)(M) <--- Modify


Notice the line: NT AUTHORITY\Authenticated Users:(I)(M) which lists the
permissions for authenticated however unprivileged users. The (M) stands
for Modify, which grants us, as an unprivileged user, the ability to
read, write and delete files and subfolders within this folder.


====Proof-of-Concept====

To properly exploit this vulnerability, the local attacker must insert
an executable file called mysqld.exe or httpd.exe and replace the
original files. Next time service starts the malicious file will get
executed as SYSTEM.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    9 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close