Laborofficefree 19.10 mysql root password calculator Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2024-03-16 |
Type : local |
Platform : windows
[+] Code ...
# Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346
# Google Dork: N/A
# Date: 09/02/2023
# Exploit Author: Peter Gabaldon - https://pgj11.com/
# Vendor Homepage: https://www.laborofficefree.com/
# Software Link: https://www.laborofficefree.com/#plans
# Version: 19.10
# Tested on: Windows 10
# CVE : CVE-2024-1346
# Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.
"""
After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).
Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.
Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.
The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.
005065C8 | F755 F8 | not dword ptr ss:[ebp-8] |
Running this script produces the root password of the LaborOfficeFree MySQL.