Jump to content
Nytro

CVE-2020-11107 XAMPP

Recommended Posts

CVE-2020-11107

This is a writeup for CVE-2020-11107 I've found.

An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.

All this can be done through xampps control-panel.

XAMPP allows an unprivileged User to access and modify its editor and browser configuration. The default value is notepad.exe The default value can be changed to set a bat file as the editor or browser. After saving the configuration, it changed for every user which can access the control panel. If an attacker sets the notepad value to a malicious .exe file or .bat file it gets executed after another user tries to open the log files via the control panel. This can result in grating a normal user admin privileges or worse.

A step by step PoC can be found below:

  1. Default values of XAMPP‘s config file. alt text

  2. Normal user which can access the control panel. alt text

  3. Changing the notepad.exe file as User Silky to a malicious file. alt text

  4. Config of Administrator got changed as well. alt text

  5. Administrator tries to view a log file. alt text

  6. Code gets executed and grants User Silky Admin rights. alt text

References:

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11107
  2. https://www.apachefriends.org/blog/new_xampp_20200401.html
  3. https://nvd.nist.gov/vuln/detail/CVE-2020-11107

 

Sursa: https://github.com/S1lkys/CVE-2020-11107/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...