Now that we have illustrated how a default phpMyAdmin installation can be turned into root access for an attacker, let’s look at a few tips on how this attack could have been prevented.
First, ensure you change all default passwords on newly installed applications. In the case of XAMPP, many people overlook the fact that there is a MySQL administration tool, and as a result never secure it.
Second, prior to installing PHP, be sure to understand the configuration files. This attack could have been prevented by enabling Safe Mode, which would have restricted access to the “system” call. While this would have been helpful in this particular case, enabling Safe Mode is not considered foolproof because it can be bypassed via several unfiltered commands.
Third, the target system had no firewall in place. The attacker could have been prevented from executing a useful Netcat listener if a properly configured firewall was installed. Along the same lines, if a Tripwire type of solution was installed, it would have detected and even blocked the attacks.
Fourth, this entire attack could have been prevented with a Web Application Firewall (WAF), which could have detected the phpMyAdmin abuse, as well as the creation of the PHP-based back door and its usage. However, the concept of a WAF is not widely accepted as a valuable means for protecting web applications from attacker. Fortunately, this misnomer is slowly being disregarded, especially as more and more traditional applications are being converted to web-based applications.
In this article, we looked at how an attacker could turn a default installation of phpMyAdmin into root access. It is important to note that we took the scenic route to obtaining root access on the target system. In reality, the attack could have been reduced to a much smaller set of commands, which could be used in a program to automatically perform the attack in a few seconds. Thanks again to the CCDC event and all the fun it offers to us security professionals who enjoy a little legal pwnage from time to time!