Kloxo HostInABox 575 - Unprivileged port use



DESCRIPTION


By default, Kloxo / Lxadmin uses multiple unprivileged ports: 7776, 7777, 7778, and 7779. In the event that a service responsible for using those ports (kloxo.httpd and kloxo.exe) stops listening on them, a local user can bind to the port, preventing kloxo from using it until it is freed.

Note: not all ports were tested. This was tested simply by 1) stopping kloxo, 2) listening on port 7777, and 3) attempting to restart kloxo.

kloxo did not attempt to take control of the port. 7777/7778 are the login ports for kloxo, so a local user could craft an authentic looking login page and obtain the username and password of the next person attempting to log in.



IMPACT


Local users could obtain users' usernames and passwords as they attempted to log in.