Lucene search
K

Wampserver 3.0.6 Privilege Escalation

🗓️ 26 Dec 2016 00:00:00Reported by Heliand DemaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 40 Views

Wampserver 3.0.6 Privilege Escalation, Weak File Permissions, SYSTEM Privileges, Local User Arbitrary Code Executio

Code
`  
=====================================================  
# Vendor Homepage: http://www.wampserver.com/  
# Date: 10 Dec 2016  
# Version : Wampserver 3.0.6 32 bit x86  
# Tested on: Windows 7 Ultimate SP1 (EN)  
# Author: Heliand Dema  
# Contact: [email protected]  
# CVE: 2016-10031  
=====================================================  
  
Wampserver installs two services called 'wampapache' and 'wampmysqld'  
with weak file permission running with SYSTEM privileges.  
This could potentially allow an authorized but non-privileged local user  
to execute arbitrary code with elevated privileges on the system.  
  
C:\>sc qc wampapache  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: wampapache  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 3 DEMAND_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME :  
"c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe" -k runservice  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : wampapache  
DEPENDENCIES : Tcpip  
: Afd  
SERVICE_START_NAME : LocalSystem  
  
  
  
PS C:\> icacls c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe  
c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe  
BUILTIN\Administrators:(I)(F) <--- Full Acces  
NT AUTHORITY\SYSTEM:(I)(F)  
BUILTIN\Users:(I)(RX)  
NT AUTHORITY\Authenticated  
Users:(I)(M) <--- Modify  
  
  
C:\Windows\system32>sc qc wampmysqld  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: wampmysqld  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 3 DEMAND_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME :  
c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe wampmysqld  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : wampmysqld  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
  
PS C:\> icacls c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe  
c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe  
BUILTIN\Administrators:(I)(F) <--- Full Acces  
NT AUTHORITY\SYSTEM:(I)(F)  
BUILTIN\Users:(I)(RX)  
NT AUTHORITY\Authenticated  
Users:(I)(M) <--- Modify  
  
  
Notice the line: NT AUTHORITY\Authenticated Users:(I)(M) which lists the  
permissions for authenticated however unprivileged users. The (M) stands  
for Modify, which grants us, as an unprivileged user, the ability to  
read, write and delete files and subfolders within this folder.  
  
  
====Proof-of-Concept====  
  
To properly exploit this vulnerability, the local attacker must insert  
an executable file called mysqld.exe or httpd.exe and replace the  
original files. Next time service starts the malicious file will get  
executed as SYSTEM.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation