[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Executable installers are vulnerable^Wdefective^WEVIL (case 49): xampp-win32-7.1.1-0-VC14-installer.exe allows escalation of privilege



Hi @ll,

xampp-win32-7.1.1-0-VC14-installer.exe, available from
<https://www.apachefriends.org/download.html>, is vulnerable,
dangerous and defective.

ALL other executable installers built with BitRock InstallBuilder
(which of course includes BitRocks InstallBuilder itself) are
vulnerable and defective too.

0. DANGEROUS
~~~~~~~~~~~~

0.a It instructs its unsuspecting users with a dialog box
 ______________________________________________________________________
| Warning                                                           [X]
|¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
|  ^  Important! Because an activated User Account Control (UAC)
| /!\ on your system some functions of XAMPP are possibly restricted.
| ¯¯¯ With UAC please avoid to install XAMPP to C:\Program Files
|     (missing write permissions). Or deactivate UAC with msconfig
|     after this setup.
|                             [ OK ]
|
 ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    to circumvent a security boundary or a security feature.

0.b The second alternative assumes that users don't use (unprivileged)
    STANDARD user accounts, but the (protected) administrator account
    created during Windows setup.

    See but Microsoft's recommendations
    <https://technet.microsoft.com/en-us/library/ee679793.aspx>:

| Do not disable UAC
...
| Use standard user accounts


1. VULNERABLE
~~~~~~~~~~~~~

1.a It loads (at least) SAMCli.dll, SchedCli.dll and LogonCli.dll
    (tested on Windows 7 SP1) from its "application directory"
    instead Windows' "system directory" %SystemRoot%\System32\,
    resulting in arbitrary code execution.

    For software downloaded with a web browser the "application
    directory" is typically the user's "Downloads" directory: see
    <http://seclists.org/fulldisclosure/2015/Nov/101> and
    <http://seclists.org/fulldisclosure/2015/Dec/86> plus
    
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
    
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
    <http://seclists.org/fulldisclosure/2012/Aug/134> and
    <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

    Also see <https://cwe.mitre.org/data/definitions/426.html>,
    <https://cwe.mitre.org/data/definitions/427.html>,
    <https://capec.mitre.org/data/definitions/471.html> and
    <https://skanthak.homepage.t-online.de/!execute.html>

1.b It creates 10 DLLs named BR<4tHexDigits>.tmp in the user's
    %TEMP% directory and loads them during the installation.

    An unprivileged attacker can modify these DLLs between their
    creation and loading, for example using the following (trivial)
    batch script, again resulting in arbitrary code execution:

    --- BITROCK.CMD ---
    :WAIT
    If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
    For %%! In ("%TEMP%\BR????.DLL") Do Copy SENTINEL.DLL "%%!"
    --- EOF ---

    See <https://skanthak.homepage.t-online.de/sentinel.html> for
    SENTINEL.DLL

1.c Thanks to the embedded application manifest which specifies
    "requireAdministrator" the installer will be started with
    administrative privileges ("protected" administrators are
    prompted for consent, unprivileged standard users are prompted
    for an administrator password), resulting in an escalation of
    privilege if (one of) the DLLs named above get(s) executed!

    If (one of) the DLLs named above get(s) planted in the users
    "Downloads" directory, for example per "drive-by download",
    this vulnerability becomes a remote code execution WITH
    escalation of privilege.


2. DEFECTIVE
~~~~~~~~~~~~

2.a It has INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
    aborts with "access violation" (see below) due to the INVALID
    section name "/4"!

    From the PE/COFF specification, available via
    <https://www.microsoft.com/en-us/download/details.aspx?id=19509>

| Offset  Size  Field  Description
|      0     8  Name   An 8-byte, null-padded UTF-8 encoded string.
|                      If the string is exactly 8 characters long,
|                      there is no terminating null. For longer names,
|                      this field contains a slash (/) that is followed
|                      by an ASCII representation of a decimal number
|                      that is an offset into the string table.
|                      Executable images do not use a string table and do
|                      not support section names longer than 8 characters.
|                      Long names in object files are truncated if they
|                      are emitted to an executable file.

2.b The IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
    for msvcrt.dll.

    It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
    See the PE/COFF specification:

| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.


Mitigations:
~~~~~~~~~~~~

* Don't build executable installers, they are almost always vulnerable!

  Create native installation packages for the respective OS instead.
  For Windows these are .MSI or .INF with .CAB.

* Don't use executable installers!

* stay FAR away from so called products of companies like BitRock


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-02-17    vulnerability report sent to one of the customers/users
              of BitRock, the maker of XAMPP and the equally vulnerable
              and defective BitRock InstallBuilder

2017-02-18    reply from this customer:
              "I have [therefore] escalated this report to Bitrock's
               support team."

              NO REPLY from Bitrock's support team.

2017-02-19    vulnerability report sent to the german tax office: their
              "Elster Formular" software was built with the vulnerable
              and defective BitRock InstallBuilder too

              NO REPLY, not even an acknowledgement of receipt from the
              german tax office

2017-02-26    vulnerability report sent to BitRock, maker of XAMPP,
              Bitnami and BitRock InstallBuilder

2017-02-27    reply from BitRock: some lame excuses, and
              "Thank you again for sharing all of the concerns with us."
              but no hint/ETA for a fix

2017-02-27    vulnerability report resent to german tax office

2017-03-03    reply from german tax office:
              "we've rebuilt our installers, the vulnerability is
               fixed."

2017-03-06    NO, it is NOT fixed, the installer still shows the
              reported defects/vulnerabilities

2017-03-23    reply from german tax office:
              "we are working on an .MSI installer; ETA April 18"

2017-04-26    german tax office published .MSI installers for their
              "Elster Formular" software

2017-05-04    report published


Evidence:
~~~~~~~~~

C:\>link.exe /dump /headers xampp-win32-7.1.1-0-VC14-installer.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file xampp-win32-7.1.1-0-VC14-installer.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               B number of sections
        58071D79 time date stamp Wed Oct 19 09:15:05 2016
          2B5C00 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             32E characteristics
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   Application can handle large (>2GB) addresses
                   32 bit word machine
                   Debug information stripped

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            2.22 linker version
          1D2C00 size of code
          2B5800 size of initialized data
            1C00 size of uninitialized data
            12A0 entry point (004012A0)
            1000 base of code
          1D4000 base of data
          400000 image base (00400000 to 006BDFFF)
            1000 section alignment
             200 file alignment
            4.00 operating system version
            1.00 image version
            4.00 subsystem version
               0 Win32 version
          2BE000 size of image
             400 size of headers
         787749C checksum
               2 subsystem (Windows GUI)
             540 DLL characteristics
                   Dynamic base
                   NX compatible
                   No structured exception handler
          200000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
          280000 [      6E] RVA [size] of Export Directory
          281000 [    3C04] RVA [size] of Import Directory
          287000 [   22B34] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
         786BB58 [    10B0] RVA [size] of Certificates Directory
          2AA000 [   13850] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
          286000 [      18] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
          2819AC [     894] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
   .text name
  1D2B94 virtual size
    1000 virtual address (00401000 to 005D3B93)
  1D2C00 size of raw data
     400 file pointer to raw data (00000400 to 001D2FFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60500060 flags
         Code
         Initialized Data
         RESERVED - UNKNOWN
         RESERVED - UNKNOWN
         Execute Read

SECTION HEADER #2
   .data name
   1400C virtual size
  1D4000 virtual address (005D4000 to 005E800B)
   14200 size of raw data
  1D3000 file pointer to raw data (001D3000 to 001E71FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0600040 flags
         Initialized Data
         RESERVED - UNKNOWN
         RESERVED - UNKNOWN
         Read Write

SECTION HEADER #3
  .rdata name
   425C0 virtual size
  1E9000 virtual address (005E9000 to 0062B5BF)
   42600 size of raw data
  1E7200 file pointer to raw data (001E7200 to 002297FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40600040 flags
         Initialized Data
         RESERVED - UNKNOWN
         RESERVED - UNKNOWN
         Read Only

LINK : fatal error LNK1000: Internal error during DumpSections

  Version 8.00.50727.762

  ExceptionCode            = C0000005
  ExceptionFlags           = 00000000
  ExceptionAddress         = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
  NumberParameters         = 00000002
  ExceptionInformation[ 0] = 00000000
  ExceptionInformation[ 1] = 00000004

CONTEXT:
  Eax    = 40000040  Esp    = 0012E510
  Ebx    = 0000014C  Ebp    = 00000000
  Ecx    = 00000007  Esi    = 00000004
  Edx    = 00000004  Edi    = 00403D00
  Eip    = 00427362  EFlags = 00010246
  SegCs  = 0000001B  SegDs  = 00000023
  SegSs  = 00000023  SegEs  = 00000023
  SegFs  = 0000003B  SegGs  = 00000000
  Dr0    = 00000000  Dr3    = 00000000
  Dr1    = 00000000  Dr6    = 00000000
  Dr2    = 00000000  Dr7    = 00000000


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/