CVE-2022-29376
📋 TL;DR
XAMPP for Windows versions 8.1.4 and below have insecure default permissions on their installation directory, allowing attackers with local access to overwrite executable files. This enables arbitrary code execution when legitimate users or services run those binaries. Anyone using vulnerable XAMPP versions on Windows systems is affected.
💻 Affected Systems
- XAMPP for Windows
📦 What is this software?
Xampp by Apachefriends
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the privileges of the user/service running XAMPP components, potentially leading to complete system takeover, data theft, or ransomware deployment.
Likely Case
Local privilege escalation or persistence mechanism where attackers replace legitimate XAMPP binaries with malicious versions that execute when services restart or users run applications.
If Mitigated
No impact if proper directory permissions are enforced or the vulnerability is patched before exploitation.
🎯 Exploit Status
Exploitation requires local access to the system. Attackers simply need write access to the XAMPP installation directory to replace binaries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.1.5 and above
Vendor Advisory: https://www.apachefriends.org/blog/
Restart Required: Yes
Instructions:
1. Download XAMPP v8.1.5 or newer from apachefriends.org. 2. Uninstall the vulnerable version. 3. Install the updated version. 4. Restart any XAMPP services.
🔧 Temporary Workarounds
Restrict XAMPP Directory Permissions
windowsManually set proper permissions on the XAMPP installation directory to prevent unauthorized write access.
icacls "C:\xampp" /inheritance:r /grant:r "%USERNAME%":(OI)(CI)F /grant:r "SYSTEM":(OI)(CI)F /grant:r "Administrators":(OI)(CI)F
🧯 If You Can't Patch
- Apply strict access controls to the XAMPP installation directory, allowing only necessary users/services write access.
- Monitor the XAMPP directory for unauthorized file modifications using file integrity monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check XAMPP version via Control Panel or verify directory permissions on the installation folder (typically C:\xampp).Check Version:
Check the version.txt file in the XAMPP installation directory or use the XAMPP Control Panel.Verify Fix Applied:
Confirm XAMPP version is 8.1.5+ and verify directory permissions restrict write access to authorized users only.📡 Detection & Monitoring
Log Indicators:
- Unexpected file modifications in XAMPP directory
- New processes spawned from XAMPP binaries with unusual parameters
Network Indicators:
- Outbound connections from XAMPP processes to unexpected destinations
SIEM Query:
EventID=4663 OR EventID=4656 WHERE ObjectName LIKE '%xampp%' AND Accesses LIKE '%WRITE%'🔗 References
- https://github.com/ycdxsb/Vuln/blob/main/CVE-2022-29376/CVE-2022-29376.md
- https://github.com/ycdxsb/Vuln/blob/main/Xampp-Install-Dir-Incorrect-Default-Permission/Xampp-Install-Dir-Incorrect-Default-Permission.md
- https://github.com/ycdxsb/Vuln/blob/main/Xampp-Install-Dir-Incorrect-Default-Permission/Xampp-Install-Dir-Incorrect-Default-Permission.md
