Exploit the possiblities

CEMLink 6 Unrestricted WSDL Service Access / Poor Crypto Implementation

CEMLink 6 Unrestricted WSDL Service Access / Poor Crypto Implementation
Posted Dec 1, 2017
Authored by Konstantinos Alexiou

CEMLink 6 suffers from having unrestricted WSDL service access and a weak mechanism for password storage.

tags | advisory, bypass
MD5 | 52fe0bdeec2533e61add0b221c0b0bac

CEMLink 6 Unrestricted WSDL Service Access / Poor Crypto Implementation

Change Mirror Download
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# Exploit Title: CEMLink6 multiple vulnerabilities
# Date Reported to vendor: 8/2/2017
# Vendor never replied
# Exploit Author: Konstantinos.alexiou@hotmail.com
# Vendor Homepage: http://www.vimtechnologies.com/cemlink-6.html
# Version: CEMLink6
# Tested on: Windows 7
# CVSS2 Vector: ((AV:A/AC:L/Au:S/C:C/I:C/A:C)
# CVSS2 Score: 7.4
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
According to VIM Technologies: "CEMLink 6 has revolutionized the data collection and reporting industry by providing an unprecedented level of tools"
CEMLink6 is an Industry leading data acqusition and heavily used in CEMENT industries and petrochemical and refining companies
==================================================== Vulnerability description and Proof of concept =============================================================
1st Vulnerability - Unrestricted WSDL Service Access
The CEMLink6 thick client application interacts with the WSDL server through the URL: http://Server/CEMLinkServiceGateway/. These services are nota adequetly protected since any authenticated to the CEMLink6 application network user can access and interact with them retrieving any database stored information including usernames and passwords.

2nd Vulnerability - Decrypt any encrypted password
The authentication mechanism of the CemLink6 thick client application is designed in an insecure manner, allowing full recovery of the cleartext equivalent of any user password.
Specifically, when a user logins to CemLink6 the application uses AES-256 to encrypt the password supplied by the user into a ciphertext, which is then transferred over the network to the server for verification. However, the current implementation has a number of security design vulnerabilities.
First, it is not recommended to use reversible encryption for password storage and/ or transmission. Due to the nature of these encryption ciphers, an attacker with access to the ciphertext may be in a position to decrypt it.
Second, if the application for some reason is required to have access to the password plaintext and as such encryption with a reversible cipher is necessitated, it is recommended that a secure password derivation mechanism is used. In the specific case we identi-fied that the application uses two static strings, a password and a salt, to derive the encryption key, with which it performs encryption of the cleartext password. This results in the same encryption key derived each and every time. An attacker with knowledge of the key would be in a position to fully decrypt the usersa password. This issue, in combination with the fact that the application doesn't apply strong binary protection mechanisms, allows an attacker to recover the plaintext password of any user account of the application.
For reference these strings are:
Static string "Password" with value: "VIM Technologies"
Static string "Salt" with value: "j28d21r14j07bMR"
It is possible by combining the specific encryption/ decryption mechanisms employed by the application, and the 1st Vulnerability to retrieve the encrypted passwords of the users and then patch the application code so as to decrypt any encrypted password, directly and retrieve the cleartext equivalent of the any given password hash.
It should be mentioned that the static strings previously mentioned are inside the CEMLink.Utilities class and defined in the StringUtilities method.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close