Multiple Local Privilege Escalation Vulnerabilities in Acunetix Web Vulnerability Scanner 11

Multiple Local Privilege Escalation Vulnerabilities in Acunetix Web =
Vulnerability Scanner 11

Metadata
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Release Date: 28-May-2017
Author: Florian Bogner @ https://bogner.sh
Affected product: Acunetix Web Vulnerability Scanner 11 =
(https://www.acunetix.com/)
Issue verified on: Windows 7
Vulnerability Status: Fixed
Fixed Version: Acunetix WVS 11.0.170941159 released on 04-April-2017
CVE: Not requested
Full Details: =
https://bogner.sh/2017/05/another-local-privilege-escalation-in-acunetix-1=
1/ and =
https://bogner.sh/2017/05/local-privilege-escalation-in-acunetix-11/

Product Description
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
"Acunetix is the leading web vulnerability scanner used by serious =
fortune 500 companies and widely acclaimed to include the most advanced =
SQL injection and XSS black box scanning technology. It automatically =
crawls your websites and performs black box AND grey box hacking =
techniques which finds dangerous vulnerabilities that can compromise =
your website and data.

Acunetix tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection =
and over 3000 other web vulnerabilities. It has the most advanced =
scanning techniques generating the least false positives possible. =
Inbuilt vulnerability management helps you prioritize and manage =
vulnerability resolution." (https://www.acunetix.com/)


Vulnerability 1: Local Privilege Escalation through Unsecured Database =
Server
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Acunetix WVS uses a PostgreSQL database in the backend to store all its =
data. However, because of the disabled authentication for local =
connections and cleartext credentials within a user readable =
configuration file, it was possible to gain full control over this =
database. As the databases Windows service was also configured to run =
as LOCAL SYSTEM, this could be abused to drop arbitrary file. As =
documented in the full report, this could further be exploited (using =
sqlmap) to gain full control over the affected target system. =20

Full Details: =
https://bogner.sh/2017/05/another-local-privilege-escalation-in-acunetix-1=
1/


Vulnerability 2: Local Privilege Escalation through DLL Sideloading=20
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Additionally a DLL sideloading vulnerability was discovered in the =
Acunetix Windows service. As this service was also configured to run as =
LOCAL SYSTEM, it could also be abused to gain full control over the =
target.

Full Details: =
https://bogner.sh/2017/05/local-privilege-escalation-in-acunetix-11/


Suggested Solution
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Update to the latest version.


Disclosure Timeline
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
5.1.2017: The issues have been documented and reported
6.1.2017: The issues have already been escalated to R&D
31.3.2017: Asked for update
4.4.2017: Fixed version (build 11.0.170941159) has been released
28.5.2017: Public disclosure


Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=3D368904276
Xing: https://www.xing.com/profile/Florian_Bogner9=