<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Skip to content
Right-Side-Virsec-Large Group-Dots-Light Sections
Insights
Oct 22, 2020 6:25:52 AM

CVE-2020-13166 MyLittleAdmin PreAuth RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It fully works with MS SQL Server. While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company web site as well as part of the optional installation of Plesk. Furthermore, there are numerous active installations present on the Internet.  

This vulnerability is due to .NET serialization issues when processing HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution or arbitrary file creation or deletion. 

If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin. MyLittleAdmin utilizes a hardcoded machineKey for all installations, this value is kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config 

An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. This allow an attacker to execute commands on the remote server. The following is the hardcoded key used by MyLittleAdmin, by inserting its values into any malicious binary, it is possible to create a payload that will execute a command of our choice: 

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base score of this vulnerability is 9.8 (Critical) 

Affected Version

MyLittleAdmin version 3.8, and few older versions are also affected. 

Vulnerability Attribution

As per SSD-Disclosure, this vulnerability was disclosed to SSD Secure Disclosure program by an anonymous security researcher. 

Risk Impact

A publicly disclosed exploit code is available heremyLittleAdmin is an old web-based management tool specially designed for MS SQL Server. It allows managing most objects of MS SQL Server databases and servers through a web browser.  

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. It is used by companies such as RackSpace, Unilever, NASA etc. 

Virsec Security Platform (VSP) Support

VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability. 

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Right-Side-Virsec-Large Group-Dots-Light Sections