Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It fully works with MS SQL Server. While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company web site as well as part of the optional installation of Plesk. Furthermore, there are numerous active installations present on the Internet.
This vulnerability is due to .NET serialization issues when processing HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution or arbitrary file creation or deletion.
If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin. MyLittleAdmin utilizes a hardcoded machineKey for all installations, this value is kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config
An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. This allow an attacker to execute commands on the remote server. The following is the hardcoded key used by MyLittleAdmin, by inserting its values into any malicious binary, it is possible to create a payload that will execute a command of our choice:
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base score of this vulnerability is 9.8 (Critical)
MyLittleAdmin version 3.8, and few older versions are also affected.
As per SSD-Disclosure, this vulnerability was disclosed to SSD Secure Disclosure program by an anonymous security researcher.
A publicly disclosed exploit code is available here. myLittleAdmin is an old web-based management tool specially designed for MS SQL Server.It allows managing most objects of MS SQL Server databases and servers through a web browser.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. It is used by companies such as RackSpace, Unilever, NASA etc.
Virsec Security Platform (VSP) Support
VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.