XAMPP 7.1.1-0-VC14 DLL Hijacking

The win32 installer for XAMPP version 7.1.1-0-VC14 suffers from a dll hijacking vulnerability.


MD5 | 8612d2b09a415a1aac6e8b64e316f57a

Hi @ll,

xampp-win32-7.1.1-0-VC14-installer.exe, available from
<https://www.apachefriends.org/download.html>, is vulnerable,
dangerous and defective.

ALL other executable installers built with BitRock InstallBuilder
(which of course includes BitRocks InstallBuilder itself) are
vulnerable and defective too.

0. DANGEROUS
~~~~~~~~~~~~

0.a It instructs its unsuspecting users with a dialog box
______________________________________________________________________
| Warning [X]
|----------------------------------------------------------------------
| ^ Important! Because an activated User Account Control (UAC)
| /!\ on your system some functions of XAMPP are possibly restricted.
| --- With UAC please avoid to install XAMPP to C:\Program Files
| (missing write permissions). Or deactivate UAC with msconfig
| after this setup.
| [ OK ]
|
----------------------------------------------------------------------
to circumvent a security boundary or a security feature.

0.b The second alternative assumes that users don't use (unprivileged)
STANDARD user accounts, but the (protected) administrator account
created during Windows setup.

See but Microsoft's recommendations
<https://technet.microsoft.com/en-us/library/ee679793.aspx>:

| Do not disable UAC
...
| Use standard user accounts


1. VULNERABLE
~~~~~~~~~~~~~

1.a It loads (at least) SAMCli.dll, SchedCli.dll and LogonCli.dll
(tested on Windows 7 SP1) from its "application directory"
instead Windows' "system directory" %SystemRoot%\System32\,
resulting in arbitrary code execution.

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
<http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

Also see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://capec.mitre.org/data/definitions/471.html> and
<https://skanthak.homepage.t-online.de/!execute.html>

1.b It creates 10 DLLs named BR<4tHexDigits>.tmp in the user's
%TEMP% directory and loads them during the installation.

An unprivileged attacker can modify these DLLs between their
creation and loading, for example using the following (trivial)
batch script, again resulting in arbitrary code execution:

--- BITROCK.CMD ---
:WAIT
If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
For %%! In ("%TEMP%\BR????.DLL") Do Copy SENTINEL.DLL "%%!"
--- EOF ---

See <https://skanthak.homepage.t-online.de/sentinel.html> for
SENTINEL.DLL

1.c Thanks to the embedded application manifest which specifies
"requireAdministrator" the installer will be started with
administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted
for an administrator password), resulting in an escalation of
privilege if (one of) the DLLs named above get(s) executed!

If (one of) the DLLs named above get(s) planted in the users
"Downloads" directory, for example per "drive-by download",
this vulnerability becomes a remote code execution WITH
escalation of privilege.


2. DEFECTIVE
~~~~~~~~~~~~

2.a It has INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
aborts with "access violation" (see below) due to the INVALID
section name "/4"!

From the PE/COFF specification, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>

| Offset Size Field Description
| 0 8 Name An 8-byte, null-padded UTF-8 encoded string.
| If the string is exactly 8 characters long,
| there is no terminating null. For longer names,
| this field contains a slash (/) that is followed
| by an ASCII representation of a decimal number
| that is an offset into the string table.
| Executable images do not use a string table and do
| not support section names longer than 8 characters.
| Long names in object files are truncated if they
| are emitted to an executable file.

2.b The IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
for msvcrt.dll.

It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
See the PE/COFF specification:

| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.


Mitigations:
~~~~~~~~~~~~

* Don't build executable installers, they are almost always vulnerable!

Create native installation packages for the respective OS instead.
For Windows these are .MSI or .INF with .CAB.

* Don't use executable installers!

* stay FAR away from so called products of companies like BitRock


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-02-17 vulnerability report sent to one of the customers/users
of BitRock, the maker of XAMPP and the equally vulnerable
and defective BitRock InstallBuilder

2017-02-18 reply from this customer:
"I have [therefore] escalated this report to Bitrock's
support team."

NO REPLY from Bitrock's support team.

2017-02-19 vulnerability report sent to the german tax office: their
"Elster Formular" software was built with the vulnerable
and defective BitRock InstallBuilder too

NO REPLY, not even an acknowledgement of receipt from the
german tax office

2017-02-26 vulnerability report sent to BitRock, maker of XAMPP,
Bitnami and BitRock InstallBuilder

2017-02-27 reply from BitRock: some lame excuses, and
"Thank you again for sharing all of the concerns with us."
but no hint/ETA for a fix

2017-02-27 vulnerability report resent to german tax office

2017-03-03 reply from german tax office:
"we've rebuilt our installers, the vulnerability is
fixed."

2017-03-06 NO, it is NOT fixed, the installer still shows the
reported defects/vulnerabilities

2017-03-23 reply from german tax office:
"we are working on an .MSI installer; ETA April 18"

2017-04-26 german tax office published .MSI installers for their
"Elster Formular" software

2017-05-04 report published


Evidence:
~~~~~~~~~

C:\>link.exe /dump /headers xampp-win32-7.1.1-0-VC14-installer.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.


Dump of file xampp-win32-7.1.1-0-VC14-installer.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
14C machine (x86)
B number of sections
58071D79 time date stamp Wed Oct 19 09:15:05 2016
2B5C00 file pointer to symbol table
0 number of symbols
E0 size of optional header
32E characteristics
Executable
Line numbers stripped
Symbols stripped
Application can handle large (>2GB) addresses
32 bit word machine
Debug information stripped

OPTIONAL HEADER VALUES
10B magic # (PE32)
2.22 linker version
1D2C00 size of code
2B5800 size of initialized data
1C00 size of uninitialized data
12A0 entry point (004012A0)
1000 base of code
1D4000 base of data
400000 image base (00400000 to 006BDFFF)
1000 section alignment
200 file alignment
4.00 operating system version
1.00 image version
4.00 subsystem version
0 Win32 version
2BE000 size of image
400 size of headers
787749C checksum
2 subsystem (Windows GUI)
540 DLL characteristics
Dynamic base
NX compatible
No structured exception handler
200000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
280000 [ 6E] RVA [size] of Export Directory
281000 [ 3C04] RVA [size] of Import Directory
287000 [ 22B34] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
786BB58 [ 10B0] RVA [size] of Certificates Directory
2AA000 [ 13850] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
286000 [ 18] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2819AC [ 894] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory


SECTION HEADER #1
.text name
1D2B94 virtual size
1000 virtual address (00401000 to 005D3B93)
1D2C00 size of raw data
400 file pointer to raw data (00000400 to 001D2FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500060 flags
Code
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Execute Read

SECTION HEADER #2
.data name
1400C virtual size
1D4000 virtual address (005D4000 to 005E800B)
14200 size of raw data
1D3000 file pointer to raw data (001D3000 to 001E71FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0600040 flags
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Read Write

SECTION HEADER #3
.rdata name
425C0 virtual size
1E9000 virtual address (005E9000 to 0062B5BF)
42600 size of raw data
1E7200 file pointer to raw data (001E7200 to 002297FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40600040 flags
Initialized Data
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Read Only

LINK : fatal error LNK1000: Internal error during DumpSections

Version 8.00.50727.762

ExceptionCode = C0000005
ExceptionFlags = 00000000
ExceptionAddress = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
NumberParameters = 00000002
ExceptionInformation[ 0] = 00000000
ExceptionInformation[ 1] = 00000004

CONTEXT:
Eax = 40000040 Esp = 0012E510
Ebx = 0000014C Ebp = 00000000
Ecx = 00000007 Esi = 00000004
Edx = 00000004 Edi = 00403D00
Eip = 00427362 EFlags = 00010246
SegCs = 0000001B SegDs = 00000023
SegSs = 00000023 SegEs = 00000023
SegFs = 0000003B SegGs = 00000000
Dr0 = 00000000 Dr3 = 00000000
Dr1 = 00000000 Dr6 = 00000000
Dr2 = 00000000 Dr7 = 00000000




Related Posts

Comments