EfficientLab WorkExaminer Professional Missing Server-Side Authentication Vulnerability Allowing Unauthenticated Administrative Access

A vulnerability in EfficientLab WorkExaminer Professional versions through 4.0.0.52001 allows unauthenticated attackers to bypass server-side authentication checks. This vulnerability is present on TCP port 12306 of the WorkExaminer server. Exploitation of this flaw grants administrative access to the WorkExaminer Professional console, enabling access to all sensitive monitoring data, including screenshots and keystrokes of users. The vulnerability arises because the server does not properly validate the return values of authentication procedures, allowing attackers to manipulate the response and gain unauthorized access.

Impact

Exploitation of this vulnerability leads to unauthorized administrative access on the WorkExaminer server, allowing access to all monitored data, including screenshots and keystrokes of users.

Reproduction

To reproduce this vulnerability, access the WorkExaminer server's TCP port 12306. The WorkExaminer Professional console requires a login, but the authentication can be bypassed. This is done by manipulating the return value of the authentication procedure, which is only validated on the client side. After bypassing the login, access is granted as an administrator.