Twenty Year Anniversary

Acunetix Web Vulnerability Scanner 11 Privilege Escalation

Acunetix Web Vulnerability Scanner 11 Privilege Escalation
Posted May 29, 2017
Authored by Florian Bogner

Acunetix Web Vulnerability Scanner 11 suffers from multiple local privilege escalation vulnerabilities.

tags | advisory, web, local, vulnerability
MD5 | 8287d902a52c6f50355d39a24e2b843b

Acunetix Web Vulnerability Scanner 11 Privilege Escalation

Change Mirror Download
Multiple Local Privilege Escalation Vulnerabilities in Acunetix Web Vulnerability Scanner 11

Metadata
===============================================================================
Release Date: 28-May-2017
Author: Florian Bogner @ https://bogner.sh
Affected product: Acunetix Web Vulnerability Scanner 11 (https://www.acunetix.com/)
Issue verified on: Windows 7
Vulnerability Status: Fixed
Fixed Version: Acunetix WVS 11.0.170941159 released on 04-April-2017
CVE: Not requested
Full Details: https://bogner.sh/2017/05/another-local-privilege-escalation-in-acunetix-11/ and https://bogner.sh/2017/05/local-privilege-escalation-in-acunetix-11/

Product Description
===============================================================================
"Acunetix is the leading web vulnerability scanner used by serious fortune 500 companies and widely acclaimed to include the most advanced SQL injection and XSS black box scanning technology. It automatically crawls your websites and performs black box AND grey box hacking techniques which finds dangerous vulnerabilities that can compromise your website and data.

Acunetix tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection and over 3000 other web vulnerabilities. It has the most advanced scanning techniques generating the least false positives possible. Inbuilt vulnerability management helps you prioritize and manage vulnerability resolution." (https://www.acunetix.com/)


Vulnerability 1: Local Privilege Escalation through Unsecured Database Server
===============================================================================
Acunetix WVS uses a PostgreSQL database in the backend to store all its data. However, because of the disabled authentication for local connections and cleartext credentials within a user readable configuration file, it was possible to gain full control over this database. As the database's Windows service was also configured to run as LOCAL SYSTEM, this could be abused to drop arbitrary file. As documented in the full report, this could further be exploited (using sqlmap) to gain full control over the affected target system.

Full Details: https://bogner.sh/2017/05/another-local-privilege-escalation-in-acunetix-11/


Vulnerability 2: Local Privilege Escalation through DLL Sideloading
===============================================================================
Additionally a DLL sideloading vulnerability was discovered in the Acunetix Windows service. As this service was also configured to run as LOCAL SYSTEM, it could also be abused to gain full control over the target.

Full Details: https://bogner.sh/2017/05/local-privilege-escalation-in-acunetix-11/


Suggested Solution
===============================================================================
Update to the latest version.


Disclosure Timeline
===============================================================================
5.1.2017: The issues have been documented and reported
6.1.2017: The issues have already been escalated to R&D
31.3.2017: Asked for update
4.4.2017: Fixed version (build 11.0.170941159) has been released
28.5.2017: Public disclosure


Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    3 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close