DupScout Enterprise 10.0.18 BoF

Summary

NameDupScout Enterprise 10.0.18 'sid' Buffer Overflow
Code namePrine
ProductDupScout Enterprise
Versions10.0.18
Fixed versions13.2.24
Release date2020-12-15 14:00 COT

Vulnerability

KindStack Buffer Overflow
Rule345. Establish protections against overflows
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score9.8 CRITICAL
CVSSv2 VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv2 Base Score10 HIGH
Exploit availableYes
Exploit URLhttps://www.exploit-db.com/exploits/49217
CVE ID(s)CVE-2020-29659

Description

A stack buffer overflow was found in the sid GET parameter of several requests of DupScout Enterprise 10.0.18 which can be exploited by an unauthenticated, remote user to gain NT AUTHORITY\SYSTEM privileges on the server holding the affected software.

Exploit

A first version of the exploit was published at Exploit DB and an updated exploit can be found here.

Mitigation

An updated version of DupScout Enterprise is available at the vendor page.

Credits

The vulnerability was discovered by Andrés Roldán from the Offensive Team of Fluid Attacks.

References

CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29659

Exploit https://www.exploit-db.com/exploits/49217

Updated exploit prine-exploit.py

Vendor page https://www.dupscout.com/