| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a1e685da-07e5-4ef9-8940-c443fac38685@sec-consult.com>
Date: Tue, 21 Oct 2025 11:40:34 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20251021-0 :: Multiple Vulnerabilities in
EfficientLab WorkExaminer Professional (CVE-2025-10639, CVE-2025-10640,
CVE-2025-10641)
SEC Consult Vulnerability Lab Security Advisory < 20251021-0 >
=======================================================================
title: Multiple Vulnerabilities
product: EfficientLab WorkExaminer Professional
vulnerable version: <= 4.0.0.52001
fixed version: -
CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641
impact: Critical
homepage: https://www.workexaminer.com
found: 2025-05-26
by: Tobias Niemann (Office Bochum)
Daniel Hirschberger (Office Bochum)
Thorger Jansen (Office Bochum)
Marius Renner (Office Berlin)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Work Examiner Professional is a solution that will help you to perform a qualitative
analysis of the usage of worktime and find the points where the efficiency of the
personnel increases. Work Examiner Professional every manager will know how the
employees' time is spent. Thus, the system shows the bottom-up pattern of the usage of
the company's time on all the necessary control levels (division->section->department)."
Source: https://www.workexaminer.com/products/professional.html
Business recommendation:
------------------------
The vendor responded to the submission of our security vulnerabilities by stating
that they are not within the scope of their bug bounty program. After telling them
that we do not care about the bug bounty but a fix for the issues, we did not
receive any further response.
Hence, there is no fix available for the identified security issues and we assume
that this product is unmaintained. We urge customers to contact EfficientLab
regarding the issues and a potential solution, such as using another product.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Usage of Hardcoded FTP Credentials (FTP Access and RCE) (CVE-2025-10639)
An unauthenticated attacker with network access to port 12304 of the WorkExaminer
server can use weak hardcoded credentials to login to the WorkExaminer FTP server
and use the access to modify or read data, log files and gain remote code execution
as NT Authority\SYSTEM on the server.
2) Missing Server-Side Authentication Checks (CVE-2025-10640)
An unauthenticated attacker with access to port 12306 of the WorkExaminer server
can exploit missing server-side authentication checks to bypass the login prompt
in the WorkExaminer Professional console to gain administrative access to
the WorkExaminer server and therefore all monitoring data. This includes monitored
screenshots and keystrokes of all users!
3) Unencrypted Communications (CVE-2025-10641)
All WorkExaminer Professional traffic between monitoring client, console and server
is transmitted as plain text. This allows an attacker with access to the network
to read the transmitted sensitive data. An attacker can also freely modify the data
on the wire.
Proof of concept:
-----------------
1) Usage of Hardcoded FTP Credentials (FTP Access and RCE) (CVE-2025-10639)
The WorkExaminer Professional server installation comes with an FTP
server that is used to receive the client logs. Weak hardcoded
credentials can be used to access the FTP server on port 12304 via
the network.
<FTP_access.png>
The attacker can then proceed to modify data or read any of the data stored
in the WorkExaminer installation directory (e.g.
"C:\Program File (x86)\Work Examiner Professional Server").
In addition it is possible to rename and overwrite one of the WorkExaminer service
binaries to gain code execution on the WorkExaminer server as NT Authority\SYSTEM.
<service_binaries.png>
A Windows firewall exception is automatically created during the installation.
<firewall_exception.png>
2) Missing Server-Side Authentication Checks (CVE-2025-10640)
The WorkExaminer Professional console is used for administrative access to the
server. Before access to the console is granted administrators must login.
Internally a custom protocol is used to call a respective stored procedure on the
MSSQL database. For general authentication the following procedure is called
with the entered login name and password:
--------------------------------------------------------------------------------
PROCEDURE [dbo].[we_Logins_AuthenticateSqlLogin]
@LoginName nvarchar(256),
@Password nvarchar(128),
@Result int OUTPUT
BEGIN
IF NOT EXISTS (SELECT LoginName FROM we_Logins WHERE @LoginName = LoginName)
RETURN (-1)
DECLARE @PasswordHash varbinary(128)
SELECT @PasswordHash = PasswordHash FROM we_Logins WHERE @LoginName = LoginName
SELECT @Result = PWDCOMPARE(@Password, @PasswordHash)
END
--------------------------------------------------------------------------------
However the return value of the call is not validated on the server-side.
Instead it is only validated client-side. A quick authentication bypass can therefore
be achieved by toggling the return value in the server response, when entering wrong
credentials. For this proof of concept the global admin account "admin" was used.
<login_window.png>
The highlighted byte in the server response is set from 0 to 1.
<server_response_toggle.png>
The client now assumes that the authentication has succeeded and access is granted:
<login_bypassed.png>
It is also possible to completely patch the login from the client. This can easily be
achieved by replacing the selected instructions with nops:
<x64dbg.png>
The modified client bypasses the login regardless of the entered password:
If AD authentication is chosen during the login, the following procedure is called:
--------------------------------------------------------------------------------
PROCEDURE [dbo].[we_Logins_GetLoginByName]
@LoginName nvarchar(256)
BEGIN
SELECT
LoginId,
LoginName,
Reports,
Menus,
AuthenticationType,
IsAdmin
FROM dbo.we_Logins
WHERE @LoginName = LoginName
END
--------------------------------------------------------------------------------
In this case the return value must be replaced with the respective expected values.
3) Unencrypted Communications (CVE-2025-10641)
The monitoring clients transmit their data to the server using the unencrypted FTP.
Clients connect to the FTP server on port 12304 and transmit the data unencrypted:
<ftp_unencrypted.png>
In addition, all traffic between the console client and the server at port 12306
is unencrypted. The following screenshot shows keystrokes that are retrieved via
the console:
<unencrypted_console.png>
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* WorkExaminer Professional 4.0.0.52001
Vendor contact timeline:
------------------------
2025-07-09: Initial mail to the vendor (support@...kexaminer.com); no response.
2025-08-22: Sent reminder mail; no response.
2025-09-16: Submitting support ticket via https://kb.controlio.net/hc/en-us/requests/new
for another advisory and including information about this one.
Vendor assigns ticket #14957, support agent forwards request to relevant
department.
EfficientLab answers that there is a bug bounty page to submit security
advisories at https://controlio.net/bug-bounty.html
2025-09-17: Submitting advisory, ticket #14997 was assigned for this advisory.
2025-10-15: Vendor responds that our submission is not eligible for bug bounty (out
of scope).
2025-10-16: Telling vendor that we don't care about the bug bounty but secure software.
Asking if a fix is being developed or not. Setting date of disclosure for
21st October. No response.
2025-10-21: Public release of advisory.
Solution:
---------
The vendor responded to the submission of our security vulnerabilities by stating
that they are not within the scope of their bug bounty program. After telling them
that we do not care about the bug bounty but a fix for the issues, we did not
receive any further response.
Hence, there is no fix available for the identified security issues and we assume
that this product is unmaintained. We urge customers to contact EfficientLab
regarding the issues and a potential solution, such as using another product.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://x.com/sec_consult
EOF Tobias Niemann, Daniel Hirschberger, Thorger Jansen, Marius Renner / @2025
Download attachment "sec-consult-c-firewall_exception.png" of type "image/png" (43114 bytes)
Download attachment "sec-consult-c-FTP_access.png" of type "image/png" (162122 bytes)
Download attachment "sec-consult-c-ftp_unencrypted.png" of type "image/png" (14377 bytes)
Download attachment "sec-consult-c-login_bypassed.png" of type "image/png" (61095 bytes)
Download attachment "sec-consult-c-login_window.png" of type "image/png" (10520 bytes)
Download attachment "sec-consult-c-server_response_toggle.png" of type "image/png" (46495 bytes)
Download attachment "sec-consult-c-service_binaries.png" of type "image/png" (50875 bytes)
Download attachment "sec-consult-c-unencrypted_console.png" of type "image/png" (36585 bytes)
Download attachment "sec-consult-c-x64_dbg.png" of type "image/png" (51479 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4995 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists