DupScout Enterprise 10.0.18 BoF
Summary
| Name | DupScout Enterprise 10.0.18 'sid' Buffer Overflow |
| Code name | Prine |
| Product | DupScout Enterprise |
| Versions | 10.0.18 |
| Fixed versions | 13.2.24 |
| Release date | 2020-12-15 14:00 COT |
Vulnerability
| Kind | Stack Buffer Overflow |
| Rule | 345. Establish protections against overflows |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3 Base Score | 9.8 CRITICAL |
| CVSSv2 Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| CVSSv2 Base Score | 10 HIGH |
| Exploit available | Yes |
| Exploit URL | https://www.exploit-db.com/exploits/49217 |
| CVE ID(s) | CVE-2020-29659 |
Description
A stack buffer overflow was found in the sid GET parameter of several requests of DupScout Enterprise 10.0.18 which can be exploited by an unauthenticated, remote user to gain NT AUTHORITY\SYSTEM privileges on the server holding the affected software.
Exploit
A first version of the exploit was published at Exploit DB and an updated exploit can be found here.
Mitigation
An updated version of DupScout Enterprise is available at the vendor page.
Credits
The vulnerability was discovered by Andrés Roldán from the Offensive Team of Fluid Attacks.
References
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29659
Exploit https://www.exploit-db.com/exploits/49217
Updated exploit prine-exploit.py
Vendor page https://www.dupscout.com/
