CVE-2020-13166
📋 TL;DR
CVE-2020-13166 is a critical remote code execution vulnerability in MyLittleAdmin 3.8 management tool due to a hardcoded machineKey in web.config. Attackers can exploit this to execute arbitrary ASP.NET code without authentication. All installations using the vulnerable version are affected.
💻 Affected Systems
- MyLittleAdmin
📦 What is this software?
Mylittleadmin by Mylittletools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, deploy ransomware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, installation of backdoors, or use as an initial access point for further attacks.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and monitoring are in place to detect exploitation attempts.
🎯 Exploit Status
Multiple public exploit scripts and detailed technical write-ups are available. Exploitation requires sending specially crafted ViewState data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.9 or later
Vendor Advisory: https://www.mylittleadmin.com/en/support/security-advisories
Restart Required: Yes
Instructions:
1. Download MyLittleAdmin 3.9 or later from official vendor site. 2. Backup current installation and configuration. 3. Install the updated version following vendor instructions. 4. Restart IIS or application pool. 5. Verify the machineKey is no longer hardcoded in web.config.
🔧 Temporary Workarounds
Remove or Restrict Access
windowsDisable or remove MyLittleAdmin from production systems if not essential
Remove MyLittleAdmin directory from web server
Network Segmentation
allRestrict network access to MyLittleAdmin instances
Configure firewall rules to allow only trusted IP addresses to access MyLittleAdmin port
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IP addresses only
- Deploy web application firewall (WAF) with rules to block ViewState deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check web.config file for hardcoded machineKey value. If machineKey is present and identical across installations, the system is vulnerable.Check Version:
Check version.txt in MyLittleAdmin installation directory or view about page in web interfaceVerify Fix Applied:
Verify web.config no longer contains a hardcoded machineKey and that MyLittleAdmin version is 3.9 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual ViewState payloads in IIS logs
- Failed deserialization attempts
- Unexpected process creation from w3wp.exe
Network Indicators:
- HTTP POST requests with large or malformed ViewState parameters to MyLittleAdmin endpoints
- Unusual outbound connections from web server
SIEM Query:
source="IIS" AND (uri_path="*mylittleadmin*" AND http_method="POST" AND content_length>10000)🔗 References
- http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html
- https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
- http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html
- https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
