The FOG application stores credentials in a permissive file that is accessible to all users on the server.
The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more.
mysql -h localhost -u fogmaster -p fog
INSERT INTO users (uName, uPass, uCreateDate, uCreateBy, uType, uDisplay, uAllowAPI, uAPIToken) VALUES ('newuser', '<PASSWORD_HASH>', NOW(), 'fog', 0, '', 1, '<APIKEY>');
There will be a newly created user to access the web application.
Anyone with local access to the system can compromise the application by abusing weak file permissions.
0x41c Coordinator
Summary
The FOG application stores credentials in a permissive file that is accessible to all users on the server.
Details
The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more.
PoC
Connect to the database and add a new user:
There will be a newly created user to access the web application.
Impact
Anyone with local access to the system can compromise the application by abusing weak file permissions.