27 lines
No EOL
1 KiB
Text
27 lines
No EOL
1 KiB
Text
Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation
|
|
Application: EasyPHP Devserver
|
|
Versions Affected: 16.1
|
|
Vendor URL: http://www.easyphp.org/
|
|
Discovered by: Ashiyane Digital Security Team ~ Micle
|
|
Tested on: Windows 10 Professional x86
|
|
Bugs: Insecure File Permissions Privilege Escalation
|
|
Source: http://www.micle.ir/exploits/1003
|
|
Date: 10-Dec-2016
|
|
|
|
Description:
|
|
EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1"
|
|
with very weak file permissions granting any
|
|
user full permission to the exe. This allows opportunity for code
|
|
execution against any other user running the application.
|
|
|
|
Proof:
|
|
C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe
|
|
C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe
|
|
BUILTIN\Users:(ID)C
|
|
NT AUTHORITY\SYSTEM:(ID)F
|
|
BUILTIN\Administrators:(ID)F
|
|
APPLICATION PACKAGE AUTHORITY\ALL
|
|
APPLICATION PACKAGES:(ID)R
|
|
|
|
Exploit:
|
|
Simply replace run-easyphp-devserver.exe and wait for execution. |