WampServer 3.0.6 – Insecure File Permissions/Privilege Escalation

Insecure File Permissions vulnerability has been discovered in the official WampServer v3.0.6 software. The vulnerability exists due to insecure default permissions set on the wampmanager.exe and unins000.exe. A local attacker could exploit this vulnerability by replacing wampmanager.exe or unins000.exe with a malicious executable file. The malicious file could execute or modify with the LocalSystem permissions.

Product & Service Introduction:
===============================

WampServer (Formerly WAMP5) is a Web development platform WAMP type, for operating locally (without connecting to an external server) PHP scripts.
WampServer is not in itself a software but an environment with two servers (Apache and MySQL), a script interpreter (PHP) and phpMyAdmin for
administration Web MySQL databases.

(Copy of the Vendor Homepage: http://www.wampserver.com/)

Date of Discovery:
==================

2016-09-30

Exploitation Technique:
=======================

Local

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================

Include multiple integrity checks for the software files on startup and during the static runtime.
Change the access permissions for the process of all three executables files (‘wampmanager.exe’ and ‘unins000.exe’).

Levels Risk :

Proof of Concept (PoC):
=======================

WampServer for Windows contains a vulnerability that could allow a local attacker to gain elevated privileges. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

-- PoC Exploit --
C:wampp>icacls wampmanager.exe
wampmanager.exe BUILTINAdministrateurs:(I)(F)        <--- Full Acces
                AUTORITE NTSystème:(I)(F)
                BUILTINUtilisateurs:(I)(RX)
                AUTORITE NTUtilisateurs authentifiés:(I)(M)       <--- Modify

1 fichiers correctement traités ; échec du traitement de 0 fichiers

C:wampp>icacls unins000.exe
unins000.exe BUILTINAdministrateurs:(I)(F)       <--- Full Acces
             AUTORITE NTSystème:(I)(F)
             BUILTINUtilisateurs:(I)(RX)
             AUTORITE NTUtilisateurs authentifiés:(I)(M)       <--- Modify

1 fichiers correctement traités ; échec du traitement de 0 fichiers

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*