exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TZO-072006-Xampp.txt

TZO-072006-Xampp.txt
Posted May 22, 2006
Authored by Thierry Zoller | Site secdev.zoller.lu

XAMPP version 1.5.2 is susceptible to multiple privilege escalation flaws and a rogue autostart vulnerability.

tags | advisory
SHA-256 | 7297df138d18e6eb6c7c38264ddf0a821e1cc6c91cdd646bca96f9ef24a832d5

TZO-072006-Xampp.txt

Change Mirror Download

_______________________________________________________________________

XAMPP - Multiple Priviledge Escalation and Rogue Autostart
_______________________________________________________________________


Ref : TZO-072006-Xampp
Author : Thierry Zoller
WWW : http://secdev.zoller.lu
Article : http://secdev.zoller.lu/research/xamp1.htm



I. Background
~~~~~~~~~~~~~
XAMPP is an easy to install Apache distribution containing MySQL, PHP
and Perl. XAMPP is really very easy to install and to use - just
download, extract and start. In the FAQ we read : Xampp is not meant
for production use but only for developers in a development
environment. However I have seen it being used in production
environments quite a lot,hence this advisory.

According to the download stats, Xampp has been downloaded 2.765.443
times between 2003 and 2006


[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path
specification - CVSS Rating : 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path
specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
- CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution
- CVSS Rating : 2.8

II. Details
~~~~~~~~~~~~~

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The path specified in the service image is not being quoted :


As such as soon as the service is started, the Path not being quoted,
c:\program.exe is executed with NT/SYSTEM rights (The one the
filezillaftp service would have had). If we create a program named
c:\program.exe that shells NETCAT (and mysql) which spawns a shell
to a remote host, we have SYSTEM acces remotely.



[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The MYSSQLAdmin 1.4 console comes with a messed up configuration
file, first the "/" character instead of "\"is used to indicate
the path to the executable, furthermore the path is not quoted,
resulting in yet another priviledge escalation situation, if
the user launches the Mysql Admin console.

As the user clicks "Admin.." to launch the MySqlAdmin interface, the
Path not being quoted in the configuration file , c:\program.exe
is executed with NT/SYSTEM rights.



[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a
CGI script over http.


As the user clicks on the Status link inside the control panel
or executes a CGI program with the same path specified ,
c:\program.exe is executed with NT/SYSTEM rights if apache
runs as a service.


[4] Rogue Autostart due to unsecure File execution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"

During Startup, the installer executes the xampp control panel
through the use of the CreateProcess() function. By doing so
it omits to set the 'lpApplicationName' variable and further
omits to quote the path in the variable "lpCommandLine". Ref [1]

This results in c:\program.bat|exe|com being called prior to
xamppcontrol.exe and allows automatic startup of a potentially
rogue application.

III. Vendor Response
~~~~~~~~~~~~~~~~~~~~
http://www.apachefriends.org/en/news-article,75557.html

[06/May] Vendor Contact
[07/May] Vendor Response
[09/May] The current Windows beta fixes two of the problems based on
this bug. We expect the next beta soon which will fix all
four problems.
[10/May] The new Windows beta now fixes all problems.


IV. MISC
~~~~~~~~~~~~~~~~~~~~
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\




--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close