Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/2906b5dc5132dd1319827415e837168f.txt
Contact: malvuln13@gmail.com
Media: twitter.co Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/2906b5dc5132dd1319827415e837168f.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.XLog.21
Vulnerability: Authentication Bypass Race Condition
Description: The malware listens on TCP port 5553. Third-party attackers who can reach the system before a password has been set can logon using default credentials of noname/nopass and run commands made avail by the backdoor including changing the password therby potentially locking out the original intruder.
Incorrect username "victim|pass" we get
Received invalid name parameter!
Incorrect password "noname|pass" we get
Received incorrect password from client!
Sending correct noname|nopass creds we get no error. Next, we must send valid cmds using correct pipe delimiter or we will get "Received invalid parameter" errors.
push offset aCmdChangepass ; "cmd changepass"
004018EA mov edx, [ebp+Str1]
004018ED push edx ; Str1
004018EE call _strcmp
004018F3 add esp, 8
004018F6 test eax, eax
004018F8 jnz loc_4019A6
004018FE lea eax, [ebp+Delimiter]
00401901 push eax ; Delimiter
00401902 push 0 ; String
00401904 call _strtok
00401909 add esp, 8
0040190C mov [ebp+Str1], eax
0040190F cmp [ebp+Str1], 0
00401913 jnz short loc_401930
00401915 push offset aReceivedInvali_4 ; "
Received invalid parameter (NULL) f"...
0040191A mov ecx, [ebp+s]
0040191D push ecx ; s
0040191E call sub_4019D9
Family: XLog
Type: PE32
MD5: 2906b5dc5132dd1319827415e837168f
Vuln ID: MVID-2022-0543
Disclosure: 04/06/2022
Exploit/PoC:
from socket import *
import time
MALWARE_HOST="x.x.x.x"
PORT=5553
def chk_res(s):
res=""
while True:
res += s.recv(512)
break
if "
Backdoor.Win32.XLog.21 Authentication Bypass Race Condition
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 126