cbcvebase.
CVE-2017-5496
published 2017-03-15

CVE-2017-5496: Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.77%
92.2th percentile
Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.

Affected

1 ranges
VendorProductVersion rangeFixed in
sawmillsawmill

Detection & IOCsextracted from sources · hover to see the quote

hashb7ec7bc98c42c4908dfc50450b4521d0
filenameusers.cfg
pathC:\Program Files\Sawmill 8\LogAnalysisInfo
port8988
urlhttp://VICTIM-IP:8988/
hashe99a18c428cb38d5f260853678922e03
  • Monitor HTTP login requests to port 8988 where the password field contains a 32-character hexadecimal string (raw MD5 hash) rather than a plaintext password, indicating a pass-the-hash authentication attempt.
  • Alert on file read access to 'users.cfg' under the Sawmill LogAnalysisInfo directory by non-administrative or unexpected user accounts, as this file is world-readable and contains MD5 password hashes.
  • Detect access or exfiltration of the path 'C:\Program Files\Sawmill 8\LogAnalysisInfo\users.cfg' by processes or users other than the Sawmill service account.
  • ·Sawmill stores password hashes using unsalted MD5, making them trivially crackable offline and directly reusable in pass-the-hash attacks against the web login.
  • ·The users.cfg file containing all account password hashes is world-readable on Windows, meaning any local non-admin user can read and abuse the hashes.
  • ·The password_checksum field in users.cfg stores the raw MD5 hash value which is accepted directly by the Sawmill login interface, confirming the application performs no additional credential transformation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.