CVE-2017-5496
published 2017-03-15CVE-2017-5496: Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.
PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.77%
92.2th percentile
Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sawmill | sawmill | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP login requests to port 8988 where the password field contains a 32-character hexadecimal string (raw MD5 hash) rather than a plaintext password, indicating a pass-the-hash authentication attempt. ↗
- →Alert on file read access to 'users.cfg' under the Sawmill LogAnalysisInfo directory by non-administrative or unexpected user accounts, as this file is world-readable and contains MD5 password hashes. ↗
- →Detect access or exfiltration of the path 'C:\Program Files\Sawmill 8\LogAnalysisInfo\users.cfg' by processes or users other than the Sawmill service account. ↗
- ·Sawmill stores password hashes using unsalted MD5, making them trivially crackable offline and directly reusable in pass-the-hash attacks against the web login. ↗
- ·The users.cfg file containing all account password hashes is world-readable on Windows, meaning any local non-admin user can read and abuse the hashes. ↗
- ·The password_checksum field in users.cfg stores the raw MD5 hash value which is accepted directly by the Sawmill login interface, confirming the application performs no additional credential transformation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txthttp://packetstormsecurity.com/files/141177/Sawmill-Enterprise-8.7.9-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2017/Feb/46https://www.exploit-db.com/exploits/41395/http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txthttp://packetstormsecurity.com/files/141177/Sawmill-Enterprise-8.7.9-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2017/Feb/46https://www.exploit-db.com/exploits/41395/
2017-03-15
Published