[Full-disclosure] Empirum Password Obfuscation Design Flaw
# Vuln Title: Empirum Password Obfuscation Design Flaw # Date: 20.12.2012 # Author: otr # Software Link: http://www.matrix42.com/products/workplace-automation-empirum/ # Version: 14.0 # Tested on: Windows # CVE : To be assigned # Risk: medium # Type: Privilege Escalation # Vendor: Matrix42 # STATUS: final Timeline: 2012-12-20 Flaw Discovered 2013-01-08 Vendor contacted 2013-01-14 Vendor contacted (again) 2013-02-08 Vendor contacted (again) 2013-02-13 No response from vendor 2013-02-13 Public disclosure Summary: The Empirum software from Matrix42 is prone to a trivial password recovery attack that allows users to obtain passwords encrypted with the EmpCrypt.exe. Context: Empirum is a product that featues software management and OS installation over the network. For the network installation feature Empirum uses a combination of bootp/tftp (PXE) and smb (or http/https). The Empirum server serves two hidden shares via SMB. These are EMPINST$ and CONFIGURATOR$. The two shares contain OS images, software management files and configuration files. The Empirum agent which is installed on the client workstations uses these configuration files in order to install the operating system, configure it and manage the workstation (e.g. install patches). Design Flaw: The Empirum ini configuration files on the CONFIGURATOR$ share which define several settings used by the Empirum Agent also define passwords for use in Empirum. These are the following SETUP, MD5, EIS and SYNC. The MD5 password is an unsalted raw MD5 hash of the password. The SETUP, EIS, and SYNC passwords use other obfuscation methods. The SETUP, EIS, and SYNC Passwords can be prepared by the Empirum Administator using the EmpCrypt.exe tool which is part of Empirum. It was found that sometimes all of the four password values in the configuration file are an obfuscation of the same password (it was not verified if this is always the case). The SETUP password uses a kind of obfuscation that can easily be deobfuscated using a modified EmpCrypt.exe tool. The hashing algorithms of the SETUP/EIS and SYNC passwords were not analyzed in detail, but apparently SETUP and EIS passwords are hashed passwords. For different input values they have a constant length output value. It was not verified if cryptographically secure hashing algorithms are used. SETUP passwords are not hashes (the length of the SETUP values is variable) but some form of encoding. The EmpCrypt.exe tool already contains functionality to decrypt SETUP passwords which is not exposed via the command line interface. Using a reverse engineering and binary patching it is possible to create a version of EmpCrypt.exe that decodes SETUP passwords. There may be simpler ways to archeive this e.g. an undocumented command line parameter. The decoded password can be used by an attacker to perform various attacks inside of a windows domain, as pass the hash to other systems or privilege escalations. It may also disclose internal password policies or password creation patterns. That allow the attacker to perform further password cracking. Example: Empcrypt.exe /SETUP ABC - copies password *YZXZ into clipboard EmpDecrypt.exe /SETUP *YZXZ- copies ABC into clipboard Empcrypt to EmpDecrypt binary patch: EmpDecrypt.exe is a patched EmpCrypt.exe at the following code: loc_4020FB: mov esi, 0Fh mov [ebp+var_1C], esi mov [ebp+var_20], ebx [...] cmp [ebp+var_4F], bl jnz loc_402284 - in the original code this was jz Or in hex encoding: # diff (xxd -c 16 EmpCrypt.exe) (xxd -c 16 EmpDecrypt.exe) 0001510: 45fc 01e8 5815 385d b10f 8463 0100 E...X...8]...c.. --- 0001510: 45fc 01e8 5815 385d b10f 8563 0100 E...X...8]...c.. Fix: In Windows environment the active directory and domain structure (kerberos) may be used in order to handle authentication and avoid storing weakly obfuscated passwords accessible to workstations. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PcwRunAs Password Obfuscation Design Flaw
# Vuln Title: PcwRunAs Password Obfuscation Design Flaw # Date: 26.03.2012 # Author: Christian Landström, otr # Software Link: http://www.pcwelt.de/downloads/pcwRunAs-1215998.html # Version: = 0.4 # Tested on: Windows # CVE : CVE-2012-1793 # Risk: high # Type: Privilege Escalation # Vendor: PC-Welt Timeline: 2012-03-19 Vendor contacted 2012-03-19 Vendor response 2012-03-19 CVE number requested 2012-03-20 CVE number assigned 2012-03-26 Public disclosure Summary: The PcwRunAs software available from the PC-Welt website is prone to a trivial password recovery attack that allows local users to obtain passwords encrypted with the pcwRunAsGui.exe. Context: PcwRunAs is a substitute for the RunAs tool included in the Windows operating system. The tool allows to run commands in a different user context. Usually this is used to execute commands that only higher privileged users are allowed to run (like administrative or maintenance tasks). Included in the PcwRunAs package is a tool called pcwRunAsGui which features the creation of batch scripts that contain an encrypted version of the command line arguments. This is used to hide the password information from ordinary users that have access to the batch script but should not know the administrator password. Currently two versions of the tool are used in the wild. These are versions 0.3 and 0.4. Design Flaw: Both the PcwRunAsGui and the PcwRunAs tool share a common encryption key. By design it is impossible to have PcwRunAs decrypt the string produced by PcwRunAsGui and not give an attacker that wants to decrypt the cipher text access to it. Hence the encryption key is embedded in the binaries of both tools. This allows an attacker to reverse engineer the static encryption key from the available binaries. The encryption key is derived from a RIPEDM-160 hash (160bits) that serves as initialization for the blowfish encryption algorithm. This RIPEDM-160 hash is static for each version of the pcwrunas tool as it is simply a hash sum of the pcwRunAs.exe executable file. The plain text command line arguments get Blowfish-EBC encrypted with the static RIPEDM-160 hash and the result encoded in base64, e.g. in version 0.3: /u admin /p test1234 /app C:\WINNT\NOTEPAD.EXE Becomes, encrypted with blowfish and base64 encoded: pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= As the string is blowfish EBC(!) encrypted it is possible to brute force a given base64 string by hand, systematically trying different inputs for the pcwrunasgui tool and trying to reproduce the encrypted string one once to decipher. By reverse engineering the binaries it is possible to extract the static RIPEDM-160 hash that is used for encryption and write a tool that takes the encrypted base64 string and decrypts it using the static RIPEDM-160 hash (different in version 0.3 and 0.4). The version 0.4 features a protection mechanism that salts the encryption key with the hard disk serial number. However this feature is not widely used by enterprises as administrative batch scripts are usually rolled out to many workstations. This would mean that a new script would have to be created on each workstation. In any case an attacker knowing the serial number is again able to decrypt the cipher text by RIPEDM-160 hashing the number and the key and using it as blowfish initialization. Fix: There is no trivial fix for this problem as this is a flaw by design. As companies and individuals trust the pcwrunas tool for securing their administrator password, we suggest that an advisory be made public in order to inform administrators of the problem. POC: ./decrypt_pcwrunas Tool to decrypt blowfish-ebc from the PcwRunAs tool Author: otr --- Usage: decrypt_pcwrunas [version] [base64encryptedblowfish] Example: decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= Example: decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S [+] Decrypted: /u aaa /p /app a /arg aa root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= [+] Decrypted: /u admin /p test1234 /app C:\WINNT\NOTEPAD.EXE ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NX Web Companion Spoofing Arbitrary Code Execution Vulnerability
# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution # Vulnerability # Date: 25.01.2012 # Author: otr # Software Link: http://www.nomachine.com/documents/plugin/install.php # Version: = 3.x # Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris # CVE : None, yet Summary The No Machine NX Web Companion is a Java applet that allows to download and update the No Machine software from a server. The No Machine software is used to remotely access computers. The NX Web Companion is usually used by enterprises to easily deploy a cross platform client for accessing remote machines. Context For security purposes the NX Web Companion Java applet jar file is often code signed. Signed Java applets are allowed to run arbitrary code (outside of the Java sandbox) on the client system if the user confirms that he trusts the certificate the code was signed with. If a company decides to use the NX Web Companion it is likely to not only self-sign. Therefore it would get a CA signed certificate for the Web Companion. The defaults when accepting to such a signed Java applet are to accept to run the applet in question and trust the publisher forever. Meaning that any time the user browses to a page containg that applet, the applet code is executed automatically outside of the Java sandbox. The NX Web Companion spoofing vulnerability now, in the worst case, allows to execute arbitrary code on the client abusing the trust the user once placed into the signed jar file. Details The java applet nxapplet.jar downloads a file called client.zip from a location that can be controlled by the attacker using a fake web site using the parameters passed to the applet (SiteUrl, RedirectUrl). The applet can be tricked into thinking that a new version is available by modifing the *ClientVersion parameters. After user confirmation, the applets then downloads a file client.zip from the location provided in SiteUrl. client.zip is an archive that contains a platform dependend executable that is _not_ code signed and therefore may be manipulated by an attacker to run arbitrary code abusing the trust placed into the nxapplet.jar certificate. The client.zip file actually contains a file called client that is lzma compressed. The file client itself is a zip archive that contains the platform dependend executable which is called: For Windows: nxclient.exe For Linux: bin/nxclient For OS X: bin/nxclient.app/Contents/MacOS/ For Solaris: bin/nxclient Report Timeline 2011-12-12: Vendor Notification 2011-12-15: Vendor Response 2012-01-16: Vendor agrees to disclosure 2012-01-25: Public Disclosure -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
