Skip to content
This repository was archived by the owner on Dec 18, 2022. It is now read-only.

Latest commit

 

History

History

CVE-2022-23348

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Vulnerability

BigAnt Server Version 5.6.06 suffers from Use of Password Hash With Insufficient Computational Effort

Prerequisites

Example 01: None
Example 02: None
Example 03: Local client system access

Exploit

Example 01: Service Admin Password

Combined with improper Access control, the Service Admin Password can be retrieved from the following URL by any non-authenticated user. The format of the password is in an easily crackable MD5 hash format
http://<IPaddress>:8000/Runtime/Data/ms_admin.php


Example 02: SQL Logs - User Passwords

Combined with improper Access control, all SQL log files are accessible to any non-authenticated user from the following base URL http://<IPaddress>:8000/Runtime/Logs/

Directories and log file names can be easily discovered and downloaded.  All SQL changes including passwords in MD5 hashes for the Super Admin and all other accounts can be retrieved.


Example 03: UltraVNC access

The UltraVNC client is installed by default so any client can simply run and connect to other clients if the service is running


A password is required and is stored and the same on each client. It is encrypted though


This can be easily cracked using a downloadable program


Timeline

12-01-2021: Submitted vulnerabilities to vendor via email
12-01-2021: Vendor responded asking for more details
12-02-2021: Responded to vendor with additional details
12-02-2021: Vendor responded stating looking into vulnerabilities
12-29-2021: Emailed vendor, no response
01-11-2022: Emailed vendor, no response
01-12-2022: Requested CVEs
01-28-2022: CVEs assigned, no response from vendor
02-26-2022: Emailed vendor, no response
03-21-2022: PoC/CVE published

Reference

MITRE CVE-2022-23348
BigAnt Software

Disclaimer

Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.