exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lansweeper 7.2 Default Account / Remote Code Execution

Lansweeper 7.2 Default Account / Remote Code Execution
Posted Jun 23, 2020
Authored by Amel Bouziane-Leblond

Lansweeper version 7.2 has a default admin account enabled which allows for remote code execution.

tags | exploit, remote, code execution
advisories | CVE-2020-14011
SHA-256 | 2073135423a87b7e2be3d1d7241576c43e03f2b3a632fa7737f4c3ae63e5d661

Lansweeper 7.2 Default Account / Remote Code Execution

Change Mirror Download
# Exploit Title: Lansweeper 7.2 - Incorrect Access Control
# SHODAN DORK : title:"Lansweeper - Login"
# Date: 2020-06-14
# Exploit Author: Amel BOUZIANE-LEBLOND
# Vendor Homepage: https://www.lansweeper.com/
# Software Link: https://www.lansweeper.com
# Version: 6.0.x through 7.2.x
# Tested on: Windows
# CVE : CVE-2020-14011

### Title:
Incorrect Access Control.

### Category:
Exploit

### Severity:
Critical

### Description:
Lansweeper 6.0.x through 7.2.x has a default installation in which the
admin password is configured for the admin account, unless "Built-in
admin" is manually unchecked. This allows command execution via the
Add New Package and Scheduled Deployments features.

### Other observation:
Hi, This issue is kind of critical,
By using shodan with this filter title:"Lansweeper - Login"
We will find some Lansweeper with default installation on it


### Details:
The Lansweeper application is agentless network inventory software that can be used for IT asset management.
It uses the ASP.NET technology on its web application.

### Analysis:
When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
you are presented with a First Run Wizard,
which allows you to set up scanning and configure some basic options.
Any subsequent times you access the console,
you are presented with a login screen.
By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.

### Suggested mitigation:
restrict access to the console and configure what users can see or do once they've been granted access.
You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts.
A user's role determines what the user can see or do within the console..

### Impact/Risk:
Remote code execution
can expose the organization to unauthorized access of data and programs, fraud.

--
Amel BOUZIANE-LEBLOND
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close