exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TZO-072006-Xampp.txt

TZO-072006-Xampp.txt
Posted May 22, 2006
Authored by Thierry Zoller | Site secdev.zoller.lu

XAMPP version 1.5.2 is susceptible to multiple privilege escalation flaws and a rogue autostart vulnerability.

tags | advisory
SHA-256 | 7297df138d18e6eb6c7c38264ddf0a821e1cc6c91cdd646bca96f9ef24a832d5

TZO-072006-Xampp.txt

Change Mirror Download

_______________________________________________________________________

XAMPP - Multiple Priviledge Escalation and Rogue Autostart
_______________________________________________________________________


Ref : TZO-072006-Xampp
Author : Thierry Zoller
WWW : http://secdev.zoller.lu
Article : http://secdev.zoller.lu/research/xamp1.htm



I. Background
~~~~~~~~~~~~~
XAMPP is an easy to install Apache distribution containing MySQL, PHP
and Perl. XAMPP is really very easy to install and to use - just
download, extract and start. In the FAQ we read : Xampp is not meant
for production use but only for developers in a development
environment. However I have seen it being used in production
environments quite a lot,hence this advisory.

According to the download stats, Xampp has been downloaded 2.765.443
times between 2003 and 2006


[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path
specification - CVSS Rating : 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path
specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
- CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution
- CVSS Rating : 2.8

II. Details
~~~~~~~~~~~~~

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The path specified in the service image is not being quoted :


As such as soon as the service is started, the Path not being quoted,
c:\program.exe is executed with NT/SYSTEM rights (The one the
filezillaftp service would have had). If we create a program named
c:\program.exe that shells NETCAT (and mysql) which spawns a shell
to a remote host, we have SYSTEM acces remotely.



[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The MYSSQLAdmin 1.4 console comes with a messed up configuration
file, first the "/" character instead of "\"is used to indicate
the path to the executable, furthermore the path is not quoted,
resulting in yet another priviledge escalation situation, if
the user launches the Mysql Admin console.

As the user clicks "Admin.." to launch the MySqlAdmin interface, the
Path not being quoted in the configuration file , c:\program.exe
is executed with NT/SYSTEM rights.



[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a
CGI script over http.


As the user clicks on the Status link inside the control panel
or executes a CGI program with the same path specified ,
c:\program.exe is executed with NT/SYSTEM rights if apache
runs as a service.


[4] Rogue Autostart due to unsecure File execution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"

During Startup, the installer executes the xampp control panel
through the use of the CreateProcess() function. By doing so
it omits to set the 'lpApplicationName' variable and further
omits to quote the path in the variable "lpCommandLine". Ref [1]

This results in c:\program.bat|exe|com being called prior to
xamppcontrol.exe and allows automatic startup of a potentially
rogue application.

III. Vendor Response
~~~~~~~~~~~~~~~~~~~~
http://www.apachefriends.org/en/news-article,75557.html

[06/May] Vendor Contact
[07/May] Vendor Response
[09/May] The current Windows beta fixes two of the problems based on
this bug. We expect the next beta soon which will fix all
four problems.
[10/May] The new Windows beta now fixes all problems.


IV. MISC
~~~~~~~~~~~~~~~~~~~~
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\




--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close