Hardcoded key creates zero-day RCE vulnerability
UPDATED An unpatched remote code execution (RCE) vulnerability in MyLittleAdmin creates a ready mechanism for unauthenticated attackers to assault hosting environments.
MyLittleAdmin (MLA) is a web-based management tool tuned to the hosting industry and marketed by MyLittleTools.
Although product development appears to have been discontinued (with no new releases since 2013),it is still being offered on the company website as well as a component of Plesk, a popular web hosting control panel.
Details of the vulnerability, discovered by a security researcher who wishes to remain anonymous, were released by SSD, which runs a secure disclosure program.
Pretty big zero-day
The flaw in MyLittleAdmin stems from a reliance on default credentials, according to an advisory from SSD.
“MyLittleAdmin utilizes a hardcoded machineKey for all installations, this value is kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config,” SSD’s advisory explains.
“An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. This allow an attacker to execute commands on the remote server.”
Even though MyLittleAdmin is no longer being actively developed, the technology is still widely used, SSD told The Daily Swig.
“MLA still has thousands of active users,” a representative of SSD explained.
“Moreover, I would like to emphasize the more serious issue here is that the product is still being distributed and offered as part of the Plesk package although no support is available since 2013.”
Going public
MyLittleAdmin version 3.8 is confirmed as vulnerable. Older versions may also be exploitable, but this is unconfirmed.
SSD went public with an advisory, and proof of concept exploit, against MyLittleAdmin only after failing to get a response from its developers, MyLittleTools.
The Daily Swig approached both MyLittleTools and Plesk for comment.
A representative of MyLittleTools told The Daily Swig that it was up to users to delete the testing account that gave rise to the security issue with its products.
“The machineKey located in the web.config file is given as an example and can/should be changed by [the] IIS administrator,” they explained.
Although we’ve been unable to get a response from the researcher who discovered the flaw other experts tell us that MyLittleAdmin remains hackable by default but if “anyone gets hacked it’s the end-user’s fault for not editing a config file”.
This story has been edited to add comment from MyLittleTools
READ MORE HackerOne co-founder unearths information leakage bug in Rails package