Exploit EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
40902
Проверка EDB
  1. Пройдено
Автор
ASHIYANE DIGITAL SECURITY TEAM
Тип уязвимости
LOCAL
Платформа
WINDOWS
CVE
N/A
Дата публикации
2016-12-11
EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation
Код:
Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation
Application: EasyPHP Devserver
Versions Affected: 16.1
Vendor URL: http://www.easyphp.org/
Discovered by: Ashiyane Digital Security Team ~ Micle
Tested on: Windows 10 Professional x86
Bugs: Insecure File Permissions Privilege Escalation
Source: http://www.micle.ir/exploits/1003
Date: 10-Dec-2016

Description:
EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1" 
with very weak file permissions granting any
user full permission to the exe. This allows opportunity for code 
execution against any other user running the application.

Proof:
C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe
C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe 
BUILTIN\Users:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
                                   BUILTIN\Administrators:(ID)F
                                   APPLICATION PACKAGE AUTHORITY\ALL 
APPLICATION PACKAGES:(ID)R

Exploit:
Simply replace run-easyphp-devserver.exe and wait for execution.
 
Источник
www.exploit-db.com

Похожие темы