Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGiuseppe D'Amore1337DAY-ID-22782
HistoryOct 23, 2014 - 12:00 a.m.

Filemaker Login Bypass and Privilege Escalation Vulnerability

2014-10-2300:00:00
Giuseppe D'Amore
0day.today
25

0.002 Low

EPSS

Percentile

56.2%

JSON

Filemaker Login Bypass and Privilege Escalation

[ADVISORY INFORMATION]
Title: Filemaker Login Bypass and Privilege Escalation
Discovery date: 19/10/2014
Release date: 19/10/2014
Vendor Homepage: www.filemaker.com
Version: Filemaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
Credits: Giuseppe D’Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
CVE-ID: CVE-2014-8347
[VULNERABILITY INFORMATION]
Class: Authentication Bypass and Privilege Escalation
Category: Desktop Application
Severity: High
CVSS v2 Vector: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C
[AFFECTED PRODUCTS]
This security vulnerability affects:
* FileMaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
[VULNERABILITY DETAILS]
There is a obvious vulnerability of FileMaker that allow access to the local FM-based database file:
On DBEngine dll, there is a function called MatchPasswordData:



5BB8D53A C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0
5BB8D542 FF15 D437D25B CALL DWORD PTR DS:[<&[email protected]@@[email protected]>] <– Compute the password’s hash.
5BB8D548 8B8C24 6C020000 MOV ECX,DWORD PTR SS:[ESP+26C]
5BB8D54F 5F POP EDI
5BB8D550 5E POP ESI
5BB8D551 8AC3 MOV AL,BL <– if AL is 0 then you are not authenticated else if AL is 1 you are authenticated,
so simply by changing a single bit you are able to bypass the login,
also if your username is Admin, you can obtain a privilege escalation and full permissions on DB.
5BB8D553 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
5BB8D55A 5B POP EBX
5BB8D55B 8BE5 MOV ESP,EBP
5BB8D55D 5D POP EBP
5BB8D55E C2 0400 RETN 4



it doesn’t matter if your desktop or mobile application is developed in a “secure manner”, your confidential data on the database can be accessed.
[DISCLOSURE TIME-LINE]
* 19/10/2014 - Initial vendor contact.
[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user’s own risk. This information is subject to change without notice.

Filemaker Login Bypass and Privilege Escalation
=======================================================================

[ADVISORY INFORMATION]

Title:    		Filemaker Login Bypass and Privilege Escalation
Discovery date: 	19/10/2014
Release date:   	19/10/2014
Vendor Homepage: 	www.filemaker.com
Version:		Filemaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
Credits:        	Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
CVE-ID:			CVE-2014-8347
 
[VULNERABILITY INFORMATION]

Class:           	Authentication Bypass and Privilege Escalation
Category:		Desktop Application
Severity:		High
CVSS v2 Vector:         7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C			

[AFFECTED PRODUCTS]

This security vulnerability affects:

	* FileMaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4

[VULNERABILITY DETAILS]

There is a obvious vulnerability of FileMaker that allow access to the local FM-based database file:
On DBEngine dll, there is a function called MatchPasswordData:

	...
	...
	...
	5BB8D53A   C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0
	5BB8D542   FF15 D437D25B    CALL DWORD PTR DS:[<&[email protected]@@[email protected]>]  <-- Compute the password's hash.
	5BB8D548   8B8C24 6C020000  MOV ECX,DWORD PTR SS:[ESP+26C]
	5BB8D54F   5F               POP EDI
	5BB8D550   5E               POP ESI
	5BB8D551   8AC3             MOV AL,BL			<-- if AL is 0 then you are not authenticated else if AL is 1 you are authenticated,
 								    so simply by changing a single bit you are able to bypass the login,
								    also if your username is Admin, you can obtain a privilege escalation and full permissions on DB.
	5BB8D553   64:890D 00000000 MOV DWORD PTR FS:[0],ECX
	5BB8D55A   5B               POP EBX
	5BB8D55B   8BE5             MOV ESP,EBP
	5BB8D55D   5D               POP EBP
	5BB8D55E   C2 0400          RETN 4
	...
	...
	...


it doesn't matter if your desktop or mobile application is developed in a "secure manner", your confidential data on the database can be accessed.

[DISCLOSURE TIME-LINE]

    * 19/10/2014 - Initial vendor contact.
 
[DISCLAIMER]

The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

#  0day.today [2018-04-12]  #

Related

prion 1
cve 1
nvd 1
zdt 1
packetstorm 1
cvelist 1
prion
prion
Authentication flaw
2020-02-11 14:15:00
cve
cve
CVE-2014-8347
2020-02-11 14:15:17
nvd
nvd
CVE-2014-8347
2020-02-11 14:15:17
zdt
zdt
Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass and Privilege Escalation
2014-10-29 00:00:00
packetstorm
packetstorm
Filemaker Login Bypass / Privilege Escalation
2014-10-27 00:00:00
cvelist
cvelist
CVE-2014-8347
2020-02-11 13:36:37

0.002 Low

EPSS

Percentile

56.2%

JSON
Related for 1337DAY-ID-22782
prion1cve1nvd1zdt1packetstorm1cvelist1