XAMPP 7.1.1-0-VC14 DLL Hijacking

2017-05-06T00:00:00
ID PACKETSTORM:142406
Type packetstorm
Reporter Stefan Kanthak
Modified 2017-05-06T00:00:00

Description

                                        
                                            `Hi @ll,  
  
xampp-win32-7.1.1-0-VC14-installer.exe, available from  
<https://www.apachefriends.org/download.html>, is vulnerable,  
dangerous and defective.  
  
ALL other executable installers built with BitRock InstallBuilder  
(which of course includes BitRocks InstallBuilder itself) are  
vulnerable and defective too.  
  
0. DANGEROUS  
~~~~~~~~~~~~  
  
0.a It instructs its unsuspecting users with a dialog box  
______________________________________________________________________  
| Warning [X]  
|----------------------------------------------------------------------  
| ^ Important! Because an activated User Account Control (UAC)  
| /!\ on your system some functions of XAMPP are possibly restricted.  
| --- With UAC please avoid to install XAMPP to C:\Program Files  
| (missing write permissions). Or deactivate UAC with msconfig  
| after this setup.  
| [ OK ]  
|  
----------------------------------------------------------------------  
to circumvent a security boundary or a security feature.  
  
0.b The second alternative assumes that users don't use (unprivileged)  
STANDARD user accounts, but the (protected) administrator account  
created during Windows setup.  
  
See but Microsoft's recommendations  
<https://technet.microsoft.com/en-us/library/ee679793.aspx>:  
  
| Do not disable UAC  
...  
| Use standard user accounts  
  
  
1. VULNERABLE  
~~~~~~~~~~~~~  
  
1.a It loads (at least) SAMCli.dll, SchedCli.dll and LogonCli.dll  
(tested on Windows 7 SP1) from its "application directory"  
instead Windows' "system directory" %SystemRoot%\System32\,  
resulting in arbitrary code execution.  
  
For software downloaded with a web browser the "application  
directory" is typically the user's "Downloads" directory: see  
<http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> plus  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,  
<http://seclists.org/fulldisclosure/2012/Aug/134> and  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
Also see <https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>,  
<https://capec.mitre.org/data/definitions/471.html> and  
<https://skanthak.homepage.t-online.de/!execute.html>  
  
1.b It creates 10 DLLs named BR<4tHexDigits>.tmp in the user's  
%TEMP% directory and loads them during the installation.  
  
An unprivileged attacker can modify these DLLs between their  
creation and loading, for example using the following (trivial)  
batch script, again resulting in arbitrary code execution:  
  
--- BITROCK.CMD ---  
:WAIT  
If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT  
For %%! In ("%TEMP%\BR????.DLL") Do Copy SENTINEL.DLL "%%!"  
--- EOF ---  
  
See <https://skanthak.homepage.t-online.de/sentinel.html> for  
SENTINEL.DLL  
  
1.c Thanks to the embedded application manifest which specifies  
"requireAdministrator" the installer will be started with  
administrative privileges ("protected" administrators are  
prompted for consent, unprivileged standard users are prompted  
for an administrator password), resulting in an escalation of  
privilege if (one of) the DLLs named above get(s) executed!  
  
If (one of) the DLLs named above get(s) planted in the users  
"Downloads" directory, for example per "drive-by download",  
this vulnerability becomes a remote code execution WITH  
escalation of privilege.  
  
  
2. DEFECTIVE  
~~~~~~~~~~~~  
  
2.a It has INVALID PE (section) headers; Microsoft's DUMPBIN.EXE  
aborts with "access violation" (see below) due to the INVALID  
section name "/4"!  
  
From the PE/COFF specification, available via  
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>  
  
| Offset Size Field Description  
| 0 8 Name An 8-byte, null-padded UTF-8 encoded string.  
| If the string is exactly 8 characters long,  
| there is no terminating null. For longer names,  
| this field contains a slash (/) that is followed  
| by an ASCII representation of a decimal number  
| that is an offset into the string table.  
| Executable images do not use a string table and do  
| not support section names longer than 8 characters.  
| Long names in object files are truncated if they  
| are emitted to an executable file.  
  
2.b The IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries  
for msvcrt.dll.  
  
It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!  
See the PE/COFF specification:  
  
| Import Directory Table  
...  
| The import directory table consists of an array of import directory  
| entries, one entry for each DLL to which the image refers.  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
* Don't build executable installers, they are almost always vulnerable!  
  
Create native installation packages for the respective OS instead.  
For Windows these are .MSI or .INF with .CAB.  
  
* Don't use executable installers!  
  
* stay FAR away from so called products of companies like BitRock  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2017-02-17 vulnerability report sent to one of the customers/users  
of BitRock, the maker of XAMPP and the equally vulnerable  
and defective BitRock InstallBuilder  
  
2017-02-18 reply from this customer:  
"I have [therefore] escalated this report to Bitrock's  
support team."  
  
NO REPLY from Bitrock's support team.  
  
2017-02-19 vulnerability report sent to the german tax office: their  
"Elster Formular" software was built with the vulnerable  
and defective BitRock InstallBuilder too  
  
NO REPLY, not even an acknowledgement of receipt from the  
german tax office  
  
2017-02-26 vulnerability report sent to BitRock, maker of XAMPP,  
Bitnami and BitRock InstallBuilder  
  
2017-02-27 reply from BitRock: some lame excuses, and  
"Thank you again for sharing all of the concerns with us."  
but no hint/ETA for a fix  
  
2017-02-27 vulnerability report resent to german tax office  
  
2017-03-03 reply from german tax office:  
"we've rebuilt our installers, the vulnerability is  
fixed."  
  
2017-03-06 NO, it is NOT fixed, the installer still shows the  
reported defects/vulnerabilities  
  
2017-03-23 reply from german tax office:  
"we are working on an .MSI installer; ETA April 18"  
  
2017-04-26 german tax office published .MSI installers for their  
"Elster Formular" software  
  
2017-05-04 report published  
  
  
Evidence:  
~~~~~~~~~  
  
C:\>link.exe /dump /headers xampp-win32-7.1.1-0-VC14-installer.exe  
  
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762  
Copyright (C) Microsoft Corporation. All rights reserved.  
  
  
Dump of file xampp-win32-7.1.1-0-VC14-installer.exe  
  
PE signature found  
  
File Type: EXECUTABLE IMAGE  
  
FILE HEADER VALUES  
14C machine (x86)  
B number of sections  
58071D79 time date stamp Wed Oct 19 09:15:05 2016  
2B5C00 file pointer to symbol table  
0 number of symbols  
E0 size of optional header  
32E characteristics  
Executable  
Line numbers stripped  
Symbols stripped  
Application can handle large (>2GB) addresses  
32 bit word machine  
Debug information stripped  
  
OPTIONAL HEADER VALUES  
10B magic # (PE32)  
2.22 linker version  
1D2C00 size of code  
2B5800 size of initialized data  
1C00 size of uninitialized data  
12A0 entry point (004012A0)  
1000 base of code  
1D4000 base of data  
400000 image base (00400000 to 006BDFFF)  
1000 section alignment  
200 file alignment  
4.00 operating system version  
1.00 image version  
4.00 subsystem version  
0 Win32 version  
2BE000 size of image  
400 size of headers  
787749C checksum  
2 subsystem (Windows GUI)  
540 DLL characteristics  
Dynamic base  
NX compatible  
No structured exception handler  
200000 size of stack reserve  
1000 size of stack commit  
100000 size of heap reserve  
1000 size of heap commit  
0 loader flags  
10 number of directories  
280000 [ 6E] RVA [size] of Export Directory  
281000 [ 3C04] RVA [size] of Import Directory  
287000 [ 22B34] RVA [size] of Resource Directory  
0 [ 0] RVA [size] of Exception Directory  
786BB58 [ 10B0] RVA [size] of Certificates Directory  
2AA000 [ 13850] RVA [size] of Base Relocation Directory  
0 [ 0] RVA [size] of Debug Directory  
0 [ 0] RVA [size] of Architecture Directory  
0 [ 0] RVA [size] of Global Pointer Directory  
286000 [ 18] RVA [size] of Thread Storage Directory  
0 [ 0] RVA [size] of Load Configuration Directory  
0 [ 0] RVA [size] of Bound Import Directory  
2819AC [ 894] RVA [size] of Import Address Table Directory  
0 [ 0] RVA [size] of Delay Import Directory  
0 [ 0] RVA [size] of COM Descriptor Directory  
0 [ 0] RVA [size] of Reserved Directory  
  
  
SECTION HEADER #1  
.text name  
1D2B94 virtual size  
1000 virtual address (00401000 to 005D3B93)  
1D2C00 size of raw data  
400 file pointer to raw data (00000400 to 001D2FFF)  
0 file pointer to relocation table  
0 file pointer to line numbers  
0 number of relocations  
0 number of line numbers  
60500060 flags  
Code  
Initialized Data  
RESERVED - UNKNOWN  
RESERVED - UNKNOWN  
Execute Read  
  
SECTION HEADER #2  
.data name  
1400C virtual size  
1D4000 virtual address (005D4000 to 005E800B)  
14200 size of raw data  
1D3000 file pointer to raw data (001D3000 to 001E71FF)  
0 file pointer to relocation table  
0 file pointer to line numbers  
0 number of relocations  
0 number of line numbers  
C0600040 flags  
Initialized Data  
RESERVED - UNKNOWN  
RESERVED - UNKNOWN  
Read Write  
  
SECTION HEADER #3  
.rdata name  
425C0 virtual size  
1E9000 virtual address (005E9000 to 0062B5BF)  
42600 size of raw data  
1E7200 file pointer to raw data (001E7200 to 002297FF)  
0 file pointer to relocation table  
0 file pointer to line numbers  
0 number of relocations  
0 number of line numbers  
40600040 flags  
Initialized Data  
RESERVED - UNKNOWN  
RESERVED - UNKNOWN  
Read Only  
  
LINK : fatal error LNK1000: Internal error during DumpSections  
  
Version 8.00.50727.762  
  
ExceptionCode = C0000005  
ExceptionFlags = 00000000  
ExceptionAddress = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"  
NumberParameters = 00000002  
ExceptionInformation[ 0] = 00000000  
ExceptionInformation[ 1] = 00000004  
  
CONTEXT:  
Eax = 40000040 Esp = 0012E510  
Ebx = 0000014C Ebp = 00000000  
Ecx = 00000007 Esi = 00000004  
Edx = 00000004 Edi = 00403D00  
Eip = 00427362 EFlags = 00010246  
SegCs = 0000001B SegDs = 00000023  
SegSs = 00000023 SegEs = 00000023  
SegFs = 0000003B SegGs = 00000000  
Dr0 = 00000000 Dr3 = 00000000  
Dr1 = 00000000 Dr6 = 00000000  
Dr2 = 00000000 Dr7 = 00000000  
  
  
  
`