Research and Development

We are the people our parents warned us about

XAMPP - Multiple Priviledge Escalation and Rogue Autostart

firewall

Introduction :
XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use - just download, extract and start.
In the FAQ we read : Xampp is not meant for production use but only for developers in a development environment. However I have seen it being used in production environments quite a lot, hence this advisory. According to the download stats, Xampp has been downloaded 2.765.443 times between 2003 and 2006

Title : Xampp - Multiple Priviledge Escalation and Rogue Autostart
Ref  : TZO-062006-Xamp

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification - CVSS Rating : 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification - CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution - CVSS Rating : 2.8

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification :
- The default installation path used during installation of Xampp 1.5.2 is "c:\program files"
- The path specified in the service image is not being quoted :


FileZilla Insecure File specification

As such as soon as the service is started, the Path not being quoted, c:\program.exe is executed with NT/SYSTEM rights (The one the filezilla ftp service would have had). If we create a program named c:\program.exe that shells NETCAT (and mysql) which spawns a shell to a remote host, we have SYSTEM acces remotely.


c:\Program.exe being executed with SYSTEM priviledges

 

[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
- The default installation path used during installation of Xampp 1.5.2 is "c:\program files"
- The MYSSQLAdmin 1.4 console comes with a messed up configuration file, first the "/" character instead of "\"is used to indicate the path to the executable, furthermore the path is not quoted, resulting in yet another priviledge escalation situation, if the user launches the Mysql Admin console.


Xampp Control panel - Mysql Admin button

 


Invalid and insecure Path specification - MYSQLAdmin 1.4

As the user clicks "Admin.." to launch the MySqlAdmin interface, the Path not being quoted in the configuration file , c:\program.exe is executed with NT/SYSTEM rights.

c:\Program.exe being executed with SYSTEM priviledges

 

[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
- The default installation path used during installation of Xampp 1.5.2 is "c:\program files"
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a CGI script over http.


Content of cgi.cgi executed when clicking on Status
The path is not quoted thus executing c:\program.exe


As the user clicks on the Status link inside the control panel or executes a CGI program with the same path specified , c:\program.exe is executed with NT/SYSTEM rights if apache runs as a service.



c:\Program.exe being executed with SYSTEM priviledges

 

[4] Rogue Autostart due to unsecure File execution
- The default installation path used during installation of Xampp 1.5.2 is "c:\program files"

During Startup, the installer executes the xampp control panel through the use of the CreateProcess() function. By doing so it omits to set the 'lpApplicationName' variable and further omits to quote the path in the variable "lpCommandLine". Ref [1]

This results in c:\program.bat|exe|com being called prior to xamppcontrol.exe and allows automatic startup of a potentially rogue application.

Downloads :
TXT, PDF

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\