exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Empirum Password Obfuscation

Empirum Password Obfuscation
Posted Feb 15, 2013
Authored by otr

Empirum version 14.0 from Matrix42 is prone to a trivial password recovery attack that allows users to obtain passwords encrypted with the EmpCrypt.exe.

tags | advisory
SHA-256 | b8bfd848ac2af64d7799cf9258bc83cfefcfe8500dd019f1128511e9ba936b3e

Empirum Password Obfuscation

Change Mirror Download
# Vuln Title: Empirum Password Obfuscation Design Flaw
# Date: 20.12.2012
# Author: otr
# Software Link: http://www.matrix42.com/products/workplace-automation-empirum/
# Version: 14.0
# Tested on: Windows
# CVE : To be assigned

# Risk: medium
# Type: Privilege Escalation
# Vendor: Matrix42

# STATUS: final

Timeline:

2012-12-20 Flaw Discovered
2013-01-08 Vendor contacted
2013-01-14 Vendor contacted (again)
2013-02-08 Vendor contacted (again)
2013-02-13 No response from vendor
2013-02-13 Public disclosure

Summary:

The Empirum software from Matrix42 is prone to a trivial password recovery
attack that allows users to obtain passwords encrypted with the EmpCrypt.exe.

Context:

Empirum is a product that featues software management and OS installation over
the network. For the network installation feature Empirum uses a combination of
bootp/tftp (PXE) and smb (or http/https). The Empirum server serves two hidden
shares via SMB. These are EMPINST$ and CONFIGURATOR$. The two shares contain OS
images, software management files and configuration files. The Empirum agent
which is installed on the client workstations uses these configuration files in
order to install the operating system, configure it and manage the workstation
(e.g. install patches).

Design Flaw:

The Empirum ini configuration files on the CONFIGURATOR$ share which define
several settings used by the Empirum Agent also define passwords for use in
Empirum. These are the following SETUP, MD5, EIS and SYNC. The MD5 password is
an unsalted raw MD5 hash of the password. The SETUP, EIS, and SYNC passwords use
other obfuscation methods. The SETUP, EIS, and SYNC Passwords can be prepared by
the Empirum Administator using the EmpCrypt.exe tool which is part of Empirum.
It was found that sometimes all of the four password values in the configuration
file are an obfuscation of the same password (it was not verified if this is
always the case).

The SETUP password uses a kind of obfuscation that can easily be deobfuscated
using a modified EmpCrypt.exe tool. The hashing algorithms of the SETUP/EIS and
SYNC passwords were not analyzed in detail, but apparently SETUP and EIS
passwords are hashed passwords. For different input values they have a constant
length output value. It was not verified if cryptographically secure hashing
algorithms are used. SETUP passwords are not hashes (the length of the SETUP
values is variable) but some form of encoding. The EmpCrypt.exe tool already
contains functionality to decrypt SETUP passwords which is not exposed via the
command line interface. Using a reverse engineering and binary patching it is
possible to create a version of EmpCrypt.exe that decodes SETUP passwords. There
may be simpler ways to archeive this e.g. an undocumented command line parameter.

The decoded password can be used by an attacker to perform various attacks
inside of a windows domain, as pass the hash to other systems or privilege
escalations. It may also disclose internal password policies or password
creation patterns. That allow the attacker to perform further password cracking.

Example:

Empcrypt.exe /SETUP "ABC -> copies password "*YZXZ" into clipboard
EmpDecrypt.exe /SETUP "*YZXZ" -> copies "ABC" into clipboard

Empcrypt to EmpDecrypt binary patch:

EmpDecrypt.exe is a patched EmpCrypt.exe at the following code:

loc_4020FB:
mov esi, 0Fh
mov [ebp+var_1C], esi
mov [ebp+var_20], ebx
[...]
cmp [ebp+var_4F], bl
jnz loc_402284 <- in the original code this was jz

Or in hex encoding:

# diff <(xxd -c 16 EmpCrypt.exe) <(xxd -c 16 EmpDecrypt.exe)
< 0001510: 45fc 01e8 5815 0000 385d b10f 8463 0100 E...X...8]...c..
---
> 0001510: 45fc 01e8 5815 0000 385d b10f 8563 0100 E...X...8]...c..

Fix:

In Windows environment the active directory and domain structure
(kerberos) may be used in order to handle authentication and avoid
storing weakly obfuscated passwords accessible to workstations.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close