EasyPHP Devserver 16.1.1 – Insecure File Permissions Privilege Escalation - 体验盒子

作者： Ashiyane Digital Security Team

日期： 2016-12-11

类别：

local

平台：

windows

来源：https://www.exploit-db.com/exploits/40902/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation

Application: EasyPHP Devserver

Versions Affected: 16.1

Vendor URL: http://www.easyphp.org/

Discovered by: Ashiyane Digital Security Team ~ Micle

Tested on: Windows 10 Professional x86

Bugs: Insecure File Permissions Privilege Escalation

Source: http://www.micle.ir/exploits/1003

Date: 10-Dec-2016

Description:

EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1"

with very weak file permissions granting any

user full permission to the exe. This allows opportunity for code

execution against any other user running the application.

Proof:

C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe

C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe

BUILTIN\Users:(ID)C

NT AUTHORITY\SYSTEM:(ID)F

BUILTIN\Administrators:(ID)F

APPLICATION PACKAGE AUTHORITY\ALL

APPLICATION PACKAGES:(ID)R

Exploit:

Simply replace run-easyphp-devserver.exe and wait for execution.