XAMPP 7.1.1-0-VC14 DLL Hijacking
Posted on 09 May 2017
Hi @ll, xampp-win32-7.1.1-0-VC14-installer.exe, available from <https://www.apachefriends.org/download.html>, is vulnerable, dangerous and defective. ALL other executable installers built with BitRock InstallBuilder (which of course includes BitRocks InstallBuilder itself) are vulnerable and defective too. 0. DANGEROUS ~~~~~~~~~~~~ 0.a It instructs its unsuspecting users with a dialog box ______________________________________________________________________ | Warning [X] |---------------------------------------------------------------------- | ^ Important! Because an activated User Account Control (UAC) | /! on your system some functions of XAMPP are possibly restricted. | --- With UAC please avoid to install XAMPP to C:Program Files | (missing write permissions). Or deactivate UAC with msconfig | after this setup. | [ OK ] | ---------------------------------------------------------------------- to circumvent a security boundary or a security feature. 0.b The second alternative assumes that users don't use (unprivileged) STANDARD user accounts, but the (protected) administrator account created during Windows setup. See but Microsoft's recommendations <https://technet.microsoft.com/en-us/library/ee679793.aspx>: | Do not disable UAC ... | Use standard user accounts 1. VULNERABLE ~~~~~~~~~~~~~ 1.a It loads (at least) SAMCli.dll, SchedCli.dll and LogonCli.dll (tested on Windows 7 SP1) from its "application directory" instead Windows' "system directory" %SystemRoot%System32, resulting in arbitrary code execution. For software downloaded with a web browser the "application directory" is typically the user's "Downloads" directory: see <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>, <http://seclists.org/fulldisclosure/2012/Aug/134> and <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> Also see <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html>, <https://capec.mitre.org/data/definitions/471.html> and <https://skanthak.homepage.t-online.de/!execute.html> 1.b It creates 10 DLLs named BR<4tHexDigits>.tmp in the user's %TEMP% directory and loads them during the installation. An unprivileged attacker can modify these DLLs between their creation and loading, for example using the following (trivial) batch script, again resulting in arbitrary code execution: --- BITROCK.CMD --- :WAIT If Not Exist "%TEMP%BR????.DLL" Goto :WAIT For %%! In ("%TEMP%BR????.DLL") Do Copy SENTINEL.DLL "%%!" --- EOF --- See <https://skanthak.homepage.t-online.de/sentinel.html> for SENTINEL.DLL 1.c Thanks to the embedded application manifest which specifies "requireAdministrator" the installer will be started with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password), resulting in an escalation of privilege if (one of) the DLLs named above get(s) executed! If (one of) the DLLs named above get(s) planted in the users "Downloads" directory, for example per "drive-by download", this vulnerability becomes a remote code execution WITH escalation of privilege. 2. DEFECTIVE ~~~~~~~~~~~~ 2.a It has INVALID PE (section) headers; Microsoft's DUMPBIN.EXE aborts with "access violation" (see below) due to the INVALID section name "/4"! From the PE/COFF specification, available via <https://www.microsoft.com/en-us/download/details.aspx?id=19509> | Offset Size Field Description | 0 8 Name An 8-byte, null-padded UTF-8 encoded string. | If the string is exactly 8 characters long, | there is no terminating null. For longer names, | this field contains a slash (/) that is followed | by an ASCII representation of a decimal number | that is an offset into the string table. | Executable images do not use a string table and do | not support section names longer than 8 characters. | Long names in object files are truncated if they | are emitted to an executable file. 2.b The IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries for msvcrt.dll. It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL! See the PE/COFF specification: | Import Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: ~~~~~~~~~~~~ * Don't build executable installers, they are almost always vulnerable! Create native installation packages for the respective OS instead. For Windows these are .MSI or .INF with .CAB. * Don't use executable installers! * stay FAR away from so called products of companies like BitRock stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-02-17 vulnerability report sent to one of the customers/users of BitRock, the maker of XAMPP and the equally vulnerable and defective BitRock InstallBuilder 2017-02-18 reply from this customer: "I have [therefore] escalated this report to Bitrock's support team." NO REPLY from Bitrock's support team. 2017-02-19 vulnerability report sent to the german tax office: their "Elster Formular" software was built with the vulnerable and defective BitRock InstallBuilder too NO REPLY, not even an acknowledgement of receipt from the german tax office 2017-02-26 vulnerability report sent to BitRock, maker of XAMPP, Bitnami and BitRock InstallBuilder 2017-02-27 reply from BitRock: some lame excuses, and "Thank you again for sharing all of the concerns with us." but no hint/ETA for a fix 2017-02-27 vulnerability report resent to german tax office 2017-03-03 reply from german tax office: "we've rebuilt our installers, the vulnerability is fixed." 2017-03-06 NO, it is NOT fixed, the installer still shows the reported defects/vulnerabilities 2017-03-23 reply from german tax office: "we are working on an .MSI installer; ETA April 18" 2017-04-26 german tax office published .MSI installers for their "Elster Formular" software 2017-05-04 report published Evidence: ~~~~~~~~~ C:>link.exe /dump /headers xampp-win32-7.1.1-0-VC14-installer.exe Microsoft (R) COFF/PE Dumper Version 8.00.50727.762 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file xampp-win32-7.1.1-0-VC14-installer.exe PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86) B number of sections 58071D79 time date stamp Wed Oct 19 09:15:05 2016 2B5C00 file pointer to symbol table 0 number of symbols E0 size of optional header 32E characteristics Executable Line numbers stripped Symbols stripped Application can handle large (>2GB) addresses 32 bit word machine Debug information stripped OPTIONAL HEADER VALUES 10B magic # (PE32) 2.22 linker version 1D2C00 size of code 2B5800 size of initialized data 1C00 size of uninitialized data 12A0 entry point (004012A0) 1000 base of code 1D4000 base of data 400000 image base (00400000 to 006BDFFF) 1000 section alignment 200 file alignment 4.00 operating system version 1.00 image version 4.00 subsystem version 0 Win32 version 2BE000 size of image 400 size of headers 787749C checksum 2 subsystem (Windows GUI) 540 DLL characteristics Dynamic base NX compatible No structured exception handler 200000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 280000 [ 6E] RVA [size] of Export Directory 281000 [ 3C04] RVA [size] of Import Directory 287000 [ 22B34] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 786BB58 [ 10B0] RVA [size] of Certificates Directory 2AA000 [ 13850] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 286000 [ 18] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 2819AC [ 894] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 0 [ 0] RVA [size] of Reserved Directory SECTION HEADER #1 .text name 1D2B94 virtual size 1000 virtual address (00401000 to 005D3B93) 1D2C00 size of raw data 400 file pointer to raw data (00000400 to 001D2FFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60500060 flags Code Initialized Data RESERVED - UNKNOWN RESERVED - UNKNOWN Execute Read SECTION HEADER #2 .data name 1400C virtual size 1D4000 virtual address (005D4000 to 005E800B) 14200 size of raw data 1D3000 file pointer to raw data (001D3000 to 001E71FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0600040 flags Initialized Data RESERVED - UNKNOWN RESERVED - UNKNOWN Read Write SECTION HEADER #3 .rdata name 425C0 virtual size 1E9000 virtual address (005E9000 to 0062B5BF) 42600 size of raw data 1E7200 file pointer to raw data (001E7200 to 002297FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40600040 flags Initialized Data RESERVED - UNKNOWN RESERVED - UNKNOWN Read Only LINK : fatal error LNK1000: Internal error during DumpSections Version 8.00.50727.762 ExceptionCode = C0000005 ExceptionFlags = 00000000 ExceptionAddress = 00427362 (00400000) "C:Program Files...LINK.EXE" NumberParameters = 00000002 ExceptionInformation[ 0] = 00000000 ExceptionInformation[ 1] = 00000004 CONTEXT: Eax = 40000040 Esp = 0012E510 Ebx = 0000014C Ebp = 00000000 Ecx = 00000007 Esi = 00000004 Edx = 00000004 Edi = 00403D00 Eip = 00427362 EFlags = 00010246 SegCs = 0000001B SegDs = 00000023 SegSs = 00000023 SegEs = 00000023 SegFs = 0000003B SegGs = 00000000 Dr0 = 00000000 Dr3 = 00000000 Dr1 = 00000000 Dr6 = 00000000 Dr2 = 00000000 Dr7 = 00000000