CVE-2020-13166 MyLittleAdmin PreAuth RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It fully works with MS SQL Server. While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company web site as well as part of the optional installation of Plesk. Furthermore, there are numerous active installations present on the Internet.  

This vulnerability is due to .NET serialization issues when processing HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution or arbitrary file creation or deletion. 

If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin. MyLittleAdmin utilizes a hardcoded machineKey for all installations, this value is kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config 

An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. This allow an attacker to execute commands on the remote server. The following is the hardcoded key used by MyLittleAdmin, by inserting its values into any malicious binary, it is possible to create a payload that will execute a command of our choice: 

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base score of this vulnerability is 9.8 (Critical) 

Affected Version

MyLittleAdmin version 3.8, and few older versions are also affected. 

Vulnerability Attribution

As per SSD-Disclosure, this vulnerability was disclosed to SSD Secure Disclosure program by an anonymous security researcher. 

Risk Impact

A publicly disclosed exploit code is available heremyLittleAdmin is an old web-based management tool specially designed for MS SQL Server. It allows managing most objects of MS SQL Server databases and servers through a web browser.  

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. It is used by companies such as RackSpace, Unilever, NASA etc. 

Virsec Security Platform (VSP) Support

VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability. 

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.