MineAdmin Insecure Permissions Vulnerability Allowing Account Takeover and Remote Code Execution
Vulnerability
A vulnerability in MineAdmin versions prior to 3.x allows for insecure permissions in the scheduled tasks feature. This flaw enables attackers to execute arbitrary commands, leading to a full account takeover. Exploitation involves logging into the superAdmin account with default credentials or through password brute-forcing. Once access is gained, attackers can navigate to the 'Tools' section, select 'Scheduled Tasks', and add a new task with a malicious payload. Executing the task triggers the remote code execution.
Impact
Successful exploitation allows for remote code execution on the server where MineAdmin is hosted.
Reproduction
To reproduce this vulnerability, log into a MineAdmin account with superAdmin credentials. Once logged in, go to 'Tools' and then 'Scheduled Tasks'. Add a new scheduled task and insert a malicious payload into the task definition. After saving the task, execute it to trigger the remote code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.