EasyPHP Devserver 16.1.1 – Insecure File Permissions Privilege Escalation

• Exploit Database
• 21 阅读

• 作者： Ashiyane Digital Security Team
  日期： 2016-12-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40902/

• Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation
  Application: EasyPHP Devserver
  Versions Affected: 16.1
  Vendor URL: http://www.easyphp.org/
  Discovered by: Ashiyane Digital Security Team ~ Micle
  Tested on: Windows 10 Professional x86
  Bugs: Insecure File Permissions Privilege Escalation
  Source: http://www.micle.ir/exploits/1003
  Date: 10-Dec-2016
  
  Description:
  EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1" 
  with very weak file permissions granting any
  user full permission to the exe. This allows opportunity for code 
  execution against any other user running the application.
  
  Proof:
  C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe
  C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe 
  BUILTIN\Users:(ID)C
  NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F
   APPLICATION PACKAGE AUTHORITY\ALL 
  APPLICATION PACKAGES:(ID)R
  
  Exploit:
  Simply replace run-easyphp-devserver.exe and wait for execution.