""Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution," security researcher Bryan Masters said. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution, the cybersecurity company added."
"Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt any ticket generated by the server or even encrypt one of the attacker's choosing. This, in turn, opens the door to a scenario where it can be exploited to access files containing valuable data, such as the web.config file, and obtain the machine key required to perform remote code execution via ViewState deserialization."
A vulnerability in Gladinet's CentreStack and Triofox products arises from hard-coded cryptographic keys embedded in GladCtrl64.dll. The GenerateSecKey() function returns identical 100-byte strings that are used to derive encryption keys for access tickets containing authorization data. Because the keys never change, attackers can decrypt or forge tickets to access filesystem resources as authenticated users. Exploitable files include web.config, whose machine key can enable ViewState deserialization and remote code execution. Exploits involve specially crafted requests to /storage/filesvr.dn that leave Username and Password blank, causing the application to fall back to the IIS Application Pool. Nine organizations have been impacted.
#gladinet-centrestack #hard-coded-cryptographic-keys #viewstate-deserialization #remote-code-execution
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]