XAMPP - Multiple Priviledge Escalation and Rogue Autostart
Introduction :
XAMPP is an easy to install Apache distribution containing
MySQL, PHP and Perl.
XAMPP is really very easy to install and to use - just download, extract and
start.
In the FAQ we read : Xampp is
not meant for production use but only for developers in a development environment.
However I have seen it being used in production environments quite a lot,
hence this advisory. According to the download
stats, Xampp has been downloaded
2.765.443 times
between 2003 and 2006
Title : Xampp - Multiple Priviledge Escalation and Rogue Autostart
Ref : TZO-062006-Xamp
[1] Priviledge Escaltation to SYSTEM due to FileZilla Service
Path specification - CVSS Rating
: 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
- CVSS Rating
: 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification - CVSS Rating
: 4
[4] Rogue Autostart due to unsecure File execution - CVSS Rating
:
2.8
[1] Priviledge Escaltation to SYSTEM due to FileZilla
Service Path specification :
- The default installation path used during installation of Xampp
1.5.2 is "c:\program files"
- The path specified in the service image is not being quoted :
FileZilla Insecure File specification
As such as soon as the service is started, the Path not being quoted, c:\program.exe is executed with NT/SYSTEM rights (The one the filezilla ftp service would have had). If we create a program named c:\program.exe that shells NETCAT (and mysql) which spawns a shell to a remote host, we have SYSTEM acces remotely.
c:\Program.exe being executed with SYSTEM priviledges
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin
Path specification
- The default installation path used during installation
of Xampp 1.5.2 is "c:\program
files"
- The MYSSQLAdmin 1.4 console comes with a messed up configuration file, first
the "/" character instead of "\"is used to indicate the path to the executable,
furthermore the path is not quoted, resulting in yet another priviledge escalation
situation, if the user launches the Mysql Admin console.
Xampp Control panel - Mysql Admin button
Invalid and insecure Path specification - MYSQLAdmin 1.4
As the user clicks "Admin.." to launch the MySqlAdmin interface,
the Path not being quoted in the configuration file , c:\program.exe is executed
with NT/SYSTEM rights.
c:\Program.exe being executed with SYSTEM priviledges
[3] Priviledge Escaltation to SYSTEM due to CGI Path
specification
- The default installation path used during installation of Xampp 1.5.2 is "c:\program
files"
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a CGI script
over http.
Content of cgi.cgi executed when
clicking on Status
The path is not quoted thus executing c:\program.exe
As the user clicks on the Status link inside the control panel or executes
a CGI program with the same path specified , c:\program.exe is executed with NT/SYSTEM rights
if apache runs as a service.
c:\Program.exe being executed
with SYSTEM priviledges
[4] Rogue Autostart due to unsecure File execution
- The default installation path used during installation of Xampp 1.5.2 is "c:\program
files"
During Startup, the installer executes the xampp control panel
through the use of the CreateProcess() function. By doing so it omits to set
the 'lpApplicationName' variable and further omits to quote the path in the variable "lpCommandLine".
Ref [1]
This results in c:\program.bat|exe|com being called prior to xamppcontrol.exe and allows automatic startup of a potentially rogue application.
Downloads :
TXT, PDF
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the
right to write to c:\
Disclaimer
The views and opinion expressed herein are my personal views and are not intended to reflect the views of my employer or any other entity.