CVE-2018-6569 – WEST WIND WEB SERVER UNAUTHENTICATED ADMIN ACCESS AND PROCESS EXECUTION/TERMINATION

A vulnerability is a mistake, exposure, misconfiguration or weakness in software code or systems that can allow an attacker to compromise, access, damage or otherwise perform unintended actions on an affected system or network.

DFDR continually researches systems and software to expose vulnerabilities and encourages organizations to improve their security through disclosure and coordination. Research findings and exposures are disclosed publicly for the purposes of public awareness and remediation. Vendors and clients are typically made aware of these issues when discovered, coordinating on public disclosure when appropriate.

Many of these are discovered during the course of an engagement with our clients. DFDR’s security team regularly performs penetration tests, web application assessments and security review for a wide range of industries, clientele and organizations. Results of these assessments are vetted and findings are confidential.

Public disclosure typically takes place when a third-party component is publicly distributed, affects a large number of organizations and the discovery or exploit has been communicated to the affected organization. Direct engagement results and findings are not released unless the affected organization requests it.

# Exploit Title: West Wind Web Server
# Date: 1/31/18
# Exploit Author: Ken Pyle, DFDR Consulting
# consult@dfdrconsulting.com
# Vendor Homepage: https://west-wind.com/
#
# Version: >v6.8
# Tested on: IIS/Windows Server
# CVE : CVE-2018-6569

This vulnerability has been reference checked against multiple installs.
This configuration was identical across all systems tested.

The webserver is vulnerable to process execution and termination, significant information disclosure, denial of service and system level compromise.

The webpage /ADMIN.ASP is available to an unauthenticated user.

This page provides access to numerous server tasks and privileged operations, allowing a remote attacker to access critical functions.

This page also displays sensitive information and data on system processes, files, configurations, service workers/accounts, PIDS, and other privileged data.

/admin.asp?ProcessId=

The processid parameter allows a remote attacker to kill processes from the webpage, affecting availability, integrity and security of the server.

This parameter can be brute forced with numerical values to kill processes on the server based on PID.

The Script mode function provides access to

/wconnect/wc.dll?

Which is a known vulnerable function which can allow for compromise of the target host. Numerous other links on the page execute functions leveraging this vulnerability.

The upload function on this page, in certain deployment scenarios, can allow for unauthenticated upload of content to the webserver.

Remediation:

Remove the affected page from the server immediately.
Apply vendor patch when released.

Vulnerability Discovered: 1/30/18

Vendor Notified: 2/1/18

Website: www.dfdrconsulting.com

This vulnerability was discovered by consult@dfdrconsulting.com. Please credit the author in all references to this exploit.