SHARE
TWEET

Untitled

a guest Jun 14th, 2020 434 in 10 days
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Credit:
  2. #### Author: Amel BOUZIANE-LEBLOND
  3. #### Date: 2020-June-14
  4. #### CVE-2020-14011
  5. ### Affected version:
  6. Lansweeper 6.0.x through 7.2
  7. Platform: Windows 10
  8.  
  9.  
  10.  
  11. ### Title:
  12. Incorrect Access Control.
  13.  
  14. ### Category:
  15. Exploit
  16.  
  17. ### Severity:
  18. Critical
  19.  
  20. ### Description:
  21. Lansweeper 6.0.x through 7.2.x has a default installation in which the
  22. admin password is configured for the admin account, unless "Built-in
  23. admin" is manually unchecked. This allows command execution via the
  24. Add New Package and Scheduled Deployments features.
  25.  
  26. ### Other observation:
  27. Hi, This issue is kind of critical,
  28. By using shodan with this filter title:"Lansweeper - Login"
  29. We will find some Lansweeper with default installation on it
  30.  
  31.  
  32. ### Details:
  33. The Lansweeper application is agentless network inventory software that can be used for IT asset management.
  34. It uses the ASP.NET technology on its web application.
  35.  
  36. ### Analysis:
  37. When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
  38. you are presented with a First Run Wizard,
  39. which allows you to set up scanning and configure some basic options.
  40. Any subsequent times you access the console,
  41. you are presented with a login screen.
  42. By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.
  43.  
  44. ### Suggested mitigation:
  45. restrict access to the console and configure what users can see or do once they've been granted access.
  46. You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts.
  47. A user's role determines what the user can see or do within the console..
  48.  
  49. ### Impact/Risk:
  50. Remote code execution
  51. can expose the organization to unauthorized access of data and programs, fraud.
  52.  
  53. --
  54. Amel BOUZIANE-LEBLOND
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top