[TZO-072006]-Xampp - Multiple Priviledge Escalation (SYSTEM) and Rogue Autostart

To: cert@xxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, <news@xxxxxxxxxxxxxx>, <submissions@xxxxxxxxxxxxxxx>, <news@xxxxxxxxxx>
Subject: [TZO-072006]-Xampp - Multiple Priviledge Escalation (SYSTEM) and Rogue Autostart
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Sun, 21 May 2006 18:57:39 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Kachkeis Liebhaber CoKG
Reply-to: Thierry Zoller <Thierry@xxxxxxxxx>

_______________________________________________________________________

       XAMPP - Multiple Priviledge Escalation and Rogue Autostart
_______________________________________________________________________


Ref     : TZO-072006-Xampp
Author  : Thierry Zoller 
WWW     : http://secdev.zoller.lu
Article : http://secdev.zoller.lu/research/xamp1.htm



I. Background
~~~~~~~~~~~~~
XAMPP is an easy to install Apache distribution containing MySQL, PHP 
and Perl. XAMPP  is really  very easy to  install and to  use  - just 
download, extract and start. In the FAQ we read : Xampp  is not meant
for  production  use  but  only  for  developers  in  a   development 
environment.  However  I   have seen  it  being  used  in  production 
environments  quite a lot,hence this advisory.

According to the download stats, Xampp has  been downloaded 2.765.443 
times between 2003 and 2006 


[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path 
    specification - CVSS Rating : 4 
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path 
    specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
    - CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution 
    - CVSS Rating : 2.8

II. Details
~~~~~~~~~~~~~

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path 
specification :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp 
  1.5.2 is "c:\program files" 
- The path specified in the service image is not being quoted :


As such as soon as the service is started, the Path not being quoted, 
c:\program.exe   is  executed  with   NT/SYSTEM rights  (The one the 
filezillaftp service would have had).  If we  create a program named
c:\program.exe that shells NETCAT (and mysql)  which  spawns a shell
to a remote host, we have SYSTEM acces remotely.



[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp 
1.5.2 is "c:\program files" 
- The MYSSQLAdmin 1.4 console comes with a messed up configuration
  file, first the  "/" character instead of "\"is used to indicate 
  the path to the executable, furthermore  the  path is not quoted,
  resulting  in yet  another priviledge escalation  situation, if 
  the user launches the Mysql Admin console.

As the user clicks "Admin.." to launch the MySqlAdmin interface, the
Path not being quoted in the configuration file , c:\program.exe 
is executed with NT/SYSTEM rights.



[3] Priviledge Escaltation to SYSTEM due to CGI Path specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp 
  1.5.2 is "c:\program files" 
- Apache runs as a service
- An user clicks on STATUS in the XAMMPP control panel or calls a
  CGI script over http.


As the user clicks on the Status link inside the control panel 
or executes a CGI program with the same path specified , 
c:\program.exe is executed with NT/SYSTEM rights if apache 
runs as a service.


[4] Rogue Autostart due to unsecure File execution 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default installation path used during installation of Xampp 
  1.5.2 is "c:\program files" 

During Startup, the installer executes  the xampp  control panel 
through the use  of the CreateProcess()  function.  By doing so 
it omits  to set the 'lpApplicationName'  variable and  further 
omits to quote the path in the variable "lpCommandLine". Ref [1]

This results  in c:\program.bat|exe|com  being called  prior to 
xamppcontrol.exe and allows automatic startup  of a potentially
rogue application. 

III. Vendor Response
~~~~~~~~~~~~~~~~~~~~
http://www.apachefriends.org/en/news-article,75557.html

[06/May] Vendor Contact
[07/May] Vendor Response
[09/May] The current Windows beta fixes two of the problems based on
         this bug. We expect the next beta soon which will fix all
         four problems.
[10/May] The new Windows beta now fixes all problems.


IV. MISC
~~~~~~~~~~~~~~~~~~~~
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the 
right to write to c:\




-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Prev by Date: XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit
Next by Date: [ GLSA 200605-14 ] libextractor: Two heap-based buffer overflows
Previous by thread: XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit
Next by thread: [ GLSA 200605-14 ] libextractor: Two heap-based buffer overflows
Index(es):
- Date
- Thread