Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-11107 PoC — XAMPP 安全漏洞

Source
https://github.com/andripwn/CVE-2020-11107
Associated Vulnerability
Title:XAMPP 安全漏洞 (CVE-2020-11107)
Description:An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
Description
XAMPP - CVE-2020-11107
Readme
# CVE-2020-11107
This is a writeup for CVE-2020-11107 I've found.


An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows.
An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.

All this can be done through xampps control-panel.


XAMPP allows an unprivileged User to access and modify its editor and browser configuration. The default value is notepad.exe
The default value can be changed to set a bat file as the editor or browser. After saving the configuration, it changed for every user which can access the control panel. 
If an attacker sets the notepad value to a malicious .exe file or .bat file it gets executed after another user tries to open the log files via the control panel. This can result in grating a normal user admin privileges or worse.


A step by step PoC can be found below:
1. Default values of XAMPP‘s config file.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step1-Default%20Configuration.PNG )


2. Normal user which can access the control panel.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step2-Normal%20User%20Silky.PNG)


3. Changing the notepad.exe file as User Silky to a malicious file.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step3-Changing%20the%20editor.PNG)


4. Config of Administrator got changed as well.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step4-Administrator%20File%20changed.PNG)


5. Administrator tries to view a log file.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step5-Admin%20tries%20to%20access%20log%20file.PNG)


6. Code gets executed and grants User Silky Admin rights.
![alt text](https://github.com/S1lkys/CVE-2020-11107/blob/master/Step6-%20Silky%20got%20Admin%20Privs.PNG)





# References: 
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11107
2. https://www.apachefriends.org/blog/new_xampp_20200401.html
3. https://nvd.nist.gov/vuln/detail/CVE-2020-11107
File Snapshot

 [4.0K]  /data/pocs/96df9b1451566fbd60c2792b8d75ae22644b4a7e
├── [ 41K]  Contents of .bat file.PNG
├── [2.0K]  README.md
├── [293K]  Step1-Default Configuration.PNG
├── [389K]  Step2-Normal User Silky.PNG
├── [429K]  Step3.5-File got changed.PNG
├── [348K]  Step3-Changing the editor.PNG
├── [338K]  Step4-Administrator File changed.PNG
├── [283K]  Step5-Admin tries to access log file.PNG
└── [ 63K]  Step6- Silky got Admin Privs.PNG

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →