what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

XAMPP 7.1.1-0-VC14 DLL Hijacking

XAMPP 7.1.1-0-VC14 DLL Hijacking
Posted May 6, 2017
Authored by Stefan Kanthak

The win32 installer for XAMPP version 7.1.1-0-VC14 suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
SHA-256 | a8fc7e5606eb5e86648baa5594604a3f400211d28987f06793ec8ef3d4d629d2

XAMPP 7.1.1-0-VC14 DLL Hijacking

Change Mirror Download
Hi @ll,

xampp-win32-7.1.1-0-VC14-installer.exe, available from
<https://www.apachefriends.org/download.html>, is vulnerable,
dangerous and defective.

ALL other executable installers built with BitRock InstallBuilder
(which of course includes BitRocks InstallBuilder itself) are
vulnerable and defective too.

0. DANGEROUS
~~~~~~~~~~~~

0.a It instructs its unsuspecting users with a dialog box
______________________________________________________________________
| Warning [X]
|----------------------------------------------------------------------
| ^ Important! Because an activated User Account Control (UAC)
| /!\ on your system some functions of XAMPP are possibly restricted.
| --- With UAC please avoid to install XAMPP to C:\Program Files
| (missing write permissions). Or deactivate UAC with msconfig
| after this setup.
| [ OK ]
|
----------------------------------------------------------------------
to circumvent a security boundary or a security feature.

0.b The second alternative assumes that users don't use (unprivileged)
STANDARD user accounts, but the (protected) administrator account
created during Windows setup.

See but Microsoft's recommendations
<https://technet.microsoft.com/en-us/library/ee679793.aspx>:

| Do not disable UAC
...
| Use standard user accounts


1. VULNERABLE
~~~~~~~~~~~~~

1.a It loads (at least) SAMCli.dll, SchedCli.dll and LogonCli.dll
(tested on Windows 7 SP1) from its "application directory"
instead Windows' "system directory" %SystemRoot%\System32\,
resulting in arbitrary code execution.

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
<http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

Also see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://capec.mitre.org/data/definitions/471.html> and
<https://skanthak.homepage.t-online.de/!execute.html>

1.b It creates 10 DLLs named BR<4tHexDigits>.tmp in the user's
%TEMP% directory and loads them during the installation.

An unprivileged attacker can modify these DLLs between their
creation and loading, for example using the following (trivial)
batch script, again resulting in arbitrary code execution:

--- BITROCK.CMD ---
:WAIT
If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
For %%! In ("%TEMP%\BR????.DLL") Do Copy SENTINEL.DLL "%%!"
--- EOF ---

See <https://skanthak.homepage.t-online.de/sentinel.html> for
SENTINEL.DLL

1.c Thanks to the embedded application manifest which specifies
"requireAdministrator" the installer will be started with
administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted
for an administrator password), resulting in an escalation of
privilege if (one of) the DLLs named above get(s) executed!

If (one of) the DLLs named above get(s) planted in the users
"Downloads" directory, for example per "drive-by download",
this vulnerability becomes a remote code execution WITH
escalation of privilege.


2. DEFECTIVE
~~~~~~~~~~~~

2.a It has INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
aborts with "access violation" (see below) due to the INVALID
section name "/4"!

From the PE/COFF specification, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>

| Offset Size Field Description
| 0 8 Name An 8-byte, null-padded UTF-8 encoded string.
| If the string is exactly 8 characters long,
| there is no terminating null. For longer names,
| this field contains a slash (/) that is followed
| by an ASCII representation of a decimal number
| that is an offset into the string table.
| Executable images do not use a string table and do
| not support section names longer than 8 characters.
| Long names in object files are truncated if they
| are emitted to an executable file.

2.b The IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
for msvcrt.dll.

It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
See the PE/COFF specification:

| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.


Mitigations:
~~~~~~~~~~~~

* Don't build executable installers, they are almost always vulnerable!

Create native installation packages for the respective OS instead.
For Windows these are .MSI or .INF with .CAB.

* Don't use executable installers!

* stay FAR away from so called products of companies like BitRock


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-02-17 vulnerability report sent to one of the customers/users
of BitRock, the maker of XAMPP and the equally vulnerable
and defective BitRock InstallBuilder

2017-02-18 reply from this customer:
"I have [therefore] escalated this report to Bitrock's
support team."

NO REPLY from Bitrock's support team.

2017-02-19 vulnerability report sent to the german tax office: their
"Elster Formular" software was built with the vulnerable
and defective BitRock InstallBuilder too

NO REPLY, not even an acknowledgement of receipt from the
german tax office

2017-02-26 vulnerability report sent to BitRock, maker of XAMPP,
Bitnami and BitRock InstallBuilder

2017-02-27 reply from BitRock: some lame excuses, and
"Thank you again for sharing all of the concerns with us."
but no hint/ETA for a fix

2017-02-27 vulnerability report resent to german tax office

2017-03-03 reply from german tax office:
"we've rebuilt our installers, the vulnerability is
fixed."

2017-03-06 NO, it is NOT fixed, the installer still shows the
reported defects/vulnerabilities

2017-03-23 reply from german tax office:
"we are working on an .MSI installer; ETA April 18"

2017-04-26 german tax office published .MSI installers for their
"Elster Formular" software

2017-05-04 report published


Evidence:
~~~~~~~~~

C:\>link.exe /dump /headers xampp-win32-7.1.1-0-VC14-installer.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.


Dump of file xampp-win32-7.1.1-0-VC14-installer.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
14C machine (x86)
B number of sections
58071D79 time date stamp Wed Oct 19 09:15:05 2016
2B5C00 file pointer to symbol table
0 number of symbols
E0 size of optional header
32E characteristics
Executable
Line numbers stripped
Symbols stripped
Application can handle large (>2GB) addresses
32 bit word machine
Debug information stripped

OPTIONAL HEADER VALUES
10B magic # (PE32)
2.22 linker version
1D2C00 size of code
2B5800 size of initialized data
1C00 size of uninitialized data
12A0 entry point (004012A0)
1000 base of code
1D4000 base of data
400000 image base (00400000 to 006BDFFF)
1000 section alignment
200 file alignment
4.00 operating system version
1.00 image version
4.00 subsystem version
0 Win32 version
2BE000 size of image
400 size of headers
787749C checksum
2 subsystem (Windows GUI)
540 DLL characteristics
Dynamic base
NX compatible
No structured exception handler
200000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
280000 [ 6E] RVA [size] of Export Directory
281000 [ 3C04] RVA [size] of Import Directory
287000 [ 22B34] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
786BB58 [ 10B0] RVA [size] of Certificates Directory
2AA000 [ 13850] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
286000 [ 18] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2819AC [ 894] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory


SECTION HEADER #1
.text name
1D2B94 virtual size
1000 virtual address (00401000 to 005D3B93)
1D2C00 size of raw data
400 file pointer to raw data (00000400 to 001D2FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500060 flags
Code
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Execute Read

SECTION HEADER #2
.data name
1400C virtual size
1D4000 virtual address (005D4000 to 005E800B)
14200 size of raw data
1D3000 file pointer to raw data (001D3000 to 001E71FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0600040 flags
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Read Write

SECTION HEADER #3
.rdata name
425C0 virtual size
1E9000 virtual address (005E9000 to 0062B5BF)
42600 size of raw data
1E7200 file pointer to raw data (001E7200 to 002297FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40600040 flags
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Read Only

LINK : fatal error LNK1000: Internal error during DumpSections

Version 8.00.50727.762

ExceptionCode = C0000005
ExceptionFlags = 00000000
ExceptionAddress = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
NumberParameters = 00000002
ExceptionInformation[ 0] = 00000000
ExceptionInformation[ 1] = 00000004

CONTEXT:
Eax = 40000040 Esp = 0012E510
Ebx = 0000014C Ebp = 00000000
Ecx = 00000007 Esi = 00000004
Edx = 00000004 Edi = 00403D00
Eip = 00427362 EFlags = 00010246
SegCs = 0000001B SegDs = 00000023
SegSs = 00000023 SegEs = 00000023
SegFs = 0000003B SegGs = 00000000
Dr0 = 00000000 Dr3 = 00000000
Dr1 = 00000000 Dr6 = 00000000
Dr2 = 00000000 Dr7 = 00000000



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close