Sawmill Enterprise 8.7.9 – Authentication Bypass

• Exploit Database
• 15 阅读

• 作者： hyp3rlinx
  日期： 2017-02-18
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41395/

• [+] Credits: John Page AKA Hyp3rlinx
  [+] Website: hyp3rlinx.altervista.org
  [+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
  [+] ISR: ApparitionSec
  
  
  
  Vendor:
  ===============
  www.sawmill.net
  
  
  
  Product:
  ========================
  Sawmill Enterprise v8.7.9
  
  sawmill8.7.9.4_x86_windows.exe
  hash: b7ec7bc98c42c4908dfc50450b4521d0
  
  Sawmill is a powerful heirarchical log analysis tool that runs on every
  major platform.
  
  
  Vulnerability Type:
  ===================================
  Pass the Hash Authentication Bypass
  
  
  
  CVE Reference:
  ==============
  CVE-2017-5496
  
  
  
  Security Issue:
  =====================
  Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an
  attacker who gains access to the hashed user account passwords
  can login to the Sawmill interface using the raw MD5 hash values, allowing
  attackers to bypass the work of offline cracking
  account password hashes.
  
  
  This issue usually is known to affect Windows systems e.g. (NT Pass the
  Hash/Securityfocus, 1997). However, this vulnerability can also
  present itself in a vulnerable Web application.
  
  Sawmill account password hashes are stored under LogAnalysisInfo/ directory
  in "users.cfg".
  
  e.g.
  
  users = {
  root_admin = {
  username = "admin"
  password_checksum = "e99a18c428cb38d5f260853678922e03"
  email_address = ""
  
  
  This config file is stored local to the Sawmill application. However, if an
  attacker gains access to a backup of the config that is
  stored in some other location that is then compromised, it can lead to
  subversion of Sawmills authenticaton process.
  
  Moreover, since 'users.cfg' file is world readble a regular non Admin
  Windows user who logs into the system running sawmill can now grab
  a password hash and easily login to the vulnerable application without the
  needing the password itself.
  
  
  How to test?
  
  
  Sawmill running (default port 8988), log off Windows and switch to a
  "Standard" Windows non Administrator user.
  
  1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash.
  
  2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin.
  
  
  Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no
  salt.
  
  
  e.g.
  
  password: abc123
  MD5 hash:
  e99a18c428cb38d5f260853678922e03
  
  
  
  Disclosure Timeline:
  =====================================
  Vendor Notification: January 7, 2017
  CVE-2017-5496 assigned : January 20
  Request status : January 26
  Vendor: Fix avail later in year still no ETA
  Inform vendor public disclose date
  February 18, 2017 : Public Disclosure
  
  
  
  Network Access:
  ===============
  Remote
  
  
  
  Impact:
  ======================
  Information Disclosure
  Privilege Escalation
  
  
  
  Severity Level:
  ================
  High
  
  
  
  [+] Disclaimer
  The information contained within this advisory is supplied "as-is" with no
  warranties or guarantees of fitness of use or otherwise.
  Permission is hereby granted for the redistribution of this advisory,
  provided that it is not altered except by reformatting it, and
  that due credit is given. Permission is explicitly given for insertion in
  vulnerability databases and similar, provided that due credit
  is given to the author. The author is not responsible for any misuse of the
  information contained herein and accepts no responsibility
  for any damage caused by the use or misuse of this information. The author
  prohibits any malicious use of security related information
  or exploits by the author or elsewhere.