CVE-2020–13166 — A Look at MyLittleAdmin PreAuth RCE
On May 15, 2020, SSD reported on a Remote Code Execution vulnerability found in the management tool MyLittleAdmin. This vulnerability allows attackers to execute commands on the remote server without prior authentication.
It was reported to SSD by an independent researcher who discovered that objects on MyLittleAdmin can be serialized on a remote server, making the ASP code parse them as if they were MyLittleAdmin’s objects. This could allow attackers to execute commands on a remote server as if they were authenticated MyLittleAdmin users.
The Tool
MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It is a stand-alone web application and has been fully integrated with hosting control panels, including Parallels Plesk. Using MyLittleAdmin, you can manage most objects of MS SQL Server databases and servers through a web browser.
While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company website as well as part of the optional installation of Plesk. There are also numerous active installations and thousands of users present on the Internet, so it is still widely used and an exploit of it can cause a lot of harm.
The Vulnerability
MyLittleAdmin utilizes a hardcoded machineKey for all installations, this value is kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config
An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. The attacker can then connect to a remote server and send a payload that starts a calc.exe in the context of the IIS Application Engine. Thus allowing the attacker to execute arbitrary commands on the remote server.
The Impact
This vulnerability has been one of SSD’s most popular findings in 2020. The advisory itself has been visited numerous times and flooded social media. The findings had also been published on Plesk’s website as well as being promoted by The Hacker News and The Daily Swig.
Numerous attempts to contact the vendor have been made but we have yet to receive any response even though we’ve received many comments saying that this vulnerability was already being exploited.
Luckily, even though an official workaround has yet to be published but thanks to our great community, a workaround has been published by Tim Aplin from Umbrellar.
- Go into IIS > Machine Keys > Generate new Key > Apply
2. Run: IISreset
Found a similar vulnerability? We’ll get you the best reward for it.
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
