| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Mar 2012 12:17:03 +0200 From: otr@...kcay.de To: Bugtraq <bugtraq@...urityfocus.com>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: PcwRunAs Password Obfuscation Design Flaw # Vuln Title: PcwRunAs Password Obfuscation Design Flaw # Date: 26.03.2012 # Author: Christian Landström, otr # Software Link: http://www.pcwelt.de/downloads/pcwRunAs-1215998.html # Version: <= 0.4 # Tested on: Windows # CVE : CVE-2012-1793 # Risk: high # Type: Privilege Escalation # Vendor: PC-Welt Timeline: 2012-03-19 Vendor contacted 2012-03-19 Vendor response 2012-03-19 CVE number requested 2012-03-20 CVE number assigned 2012-03-26 Public disclosure Summary: The PcwRunAs software available from the PC-Welt website is prone to a trivial password recovery attack that allows local users to obtain passwords encrypted with the pcwRunAsGui.exe. Context: PcwRunAs is a substitute for the RunAs tool included in the Windows operating system. The tool allows to run commands in a different user context. Usually this is used to execute commands that only higher privileged users are allowed to run (like administrative or maintenance tasks). Included in the PcwRunAs package is a tool called pcwRunAsGui which features the creation of batch scripts that contain an encrypted version of the command line arguments. This is used to hide the password information from ordinary users that have access to the batch script but should not know the administrator password. Currently two versions of the tool are used in the wild. These are versions 0.3 and 0.4. Design Flaw: Both the PcwRunAsGui and the PcwRunAs tool share a common encryption key. By design it is impossible to have PcwRunAs decrypt the string produced by PcwRunAsGui and not give an attacker that wants to decrypt the cipher text access to it. Hence the encryption key is embedded in the binaries of both tools. This allows an attacker to reverse engineer the static encryption key from the available binaries. The encryption key is derived from a RIPEDM-160 hash (160bits) that serves as initialization for the blowfish encryption algorithm. This RIPEDM-160 hash is static for each version of the pcwrunas tool as it is simply a hash sum of the pcwRunAs.exe executable file. The plain text command line arguments get Blowfish-EBC encrypted with the static RIPEDM-160 hash and the result encoded in base64, e.g. in version 0.3: /u "admin" /p "test1234" /app "C:\WINNT\NOTEPAD.EXE" Becomes, encrypted with blowfish and base64 encoded: pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= As the string is blowfish EBC(!) encrypted it is possible to brute force a given base64 string by hand, systematically trying different inputs for the pcwrunasgui tool and trying to reproduce the encrypted string one once to decipher. By reverse engineering the binaries it is possible to extract the static RIPEDM-160 hash that is used for encryption and write a tool that takes the encrypted base64 string and decrypts it using the static RIPEDM-160 hash (different in version 0.3 and 0.4). The version 0.4 features a protection mechanism that salts the encryption key with the hard disk serial number. However this feature is not widely used by enterprises as administrative batch scripts are usually rolled out to many workstations. This would mean that a new script would have to be created on each workstation. In any case an attacker knowing the serial number is again able to decrypt the cipher text by RIPEDM-160 hashing the number and the key and using it as blowfish initialization. Fix: There is no trivial fix for this problem as this is a flaw by design. As companies and individuals trust the pcwrunas tool for securing their administrator password, we suggest that an advisory be made public in order to inform administrators of the problem. POC: ./decrypt_pcwrunas Tool to decrypt blowfish-ebc from the PcwRunAs tool Author: otr --------------- Usage: decrypt_pcwrunas [version] [base64encryptedblowfish] Example: decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= Example: decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.4 EaVnXUyaAbve9Ef4K3QCm2dCzyH9znKcrZBwjaTLCgOT2sWBtCy38DEVTr5S [+] Decrypted: /u "aaaaaaa" /p /app "aaaaa" /arg "aaaaaa" root@bt ~/Desktop/runwasdec # ./decrypt_pcwrunas v0.3 pEmoTVE5jk9r8X1An1CeuVU9yTOVN0SNG7XUZkec+/udmzjTvMOUyk2OofUkMNk/2y7KJkY= [+] Decrypted: /u "admin" /p "test1234" /app "C:\WINNT\NOTEPAD.EXE"
Powered by blists - more mailing lists