itech iLabClient Cleartext Credentials Exposure Vulnerability

A vulnerability in itech iLabClient version 3.7.1 allows local attackers to access cleartext credentials stored in the local iLabClient database. The vulnerability arises because the CONFIGS table contains unencrypted passwords for servers configured in the client. Exploitation requires establishing a connection to the local Apache Derby database used by iLabClient.

Impact

Successful exploitation of this vulnerability allows local attackers to read unencrypted passwords for servers configured in iLabClient, potentially leading to unauthorized access or actions on those servers.

Reproduction

To reproduce this vulnerability, access the local iLabClient database, which uses Apache Derby. Once connected, execute a SQL query to select the 'EINSTELLUNGEN' column from the 'configs' table. This will reveal the configuration data, including cleartext passwords. Alternatively, the provided 'get_configs.sh' script can be used to automate this process. This script must be run when no other program is accessing the database.