Multiple vulnerabilities in LogMeIn web interface can be used to control your computer and steal arbitary files
A month ago, I reported some severe vulnerabilities in LogMeIn software, specifically version 4.0.784. For those of you that don’t know what LogMeIn is, LogMeIn is a popular remote access software, just like GotoMyPC and Windows RDP. It provides simple and secure access to your computers from any location on the internet, at the convenience of your web browser.
For exploiting these vulnerabilities, you need to social engineer the user to click on a url (e.g. through spam email) or make them visit your evil site somehow.
The url paramater “lang” passed to cfgadvanced.html is vulnerable to HTTP Header Injection attack using CRLFs. What makes this attack more interesting is once you social engineer a user into clicking this malicious url, you achieve persistent control over all the LogMeIn web pages.
This happens because after the injection occurs, LogMeIn stores the new value of “lang” paramater in registry key [HKEY_LOCAL_MACHINESOFTWARELogMeInV5AppearanceLanguage] and puts it in Content-Language header everytime you click any link.
The proof of concept url given below can by used to STEAL ANY FILE ON YOUR DISK, in this case your win.ini file.
To help you understand this exploit better, I am pasting the url decoded parameter value of “lang” paramater.
The LogMeIn web interface does not have any Cross Site Request Forgery protection at all. It can be used by an attacker to make arbitrary changes to your LogMeIn System Settings. Example attacks include:
a. The following url can be used to make your machine restart everyday at a particular time. Too bad if you are using LogMeIn in a production environment :(.