what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Faronics WINSelect Hardcoded Credentials / Bad Permissions / Unhashed Password

Faronics WINSelect Hardcoded Credentials / Bad Permissions / Unhashed Password
Posted Jun 25, 2024
Authored by Daniel Hirschberger | Site sec-consult.com

Faronics WINSelect versions prior to 8.30.xx.903 suffer from having hardcoded credentials, storing unhashed passwords, and configuration file modification vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2024-36495, CVE-2024-36496, CVE-2024-36497
SHA-256 | 027ee14709ee8088f3a43a3e25e6450580e3674393ef37542ccf9f8c2f9f3e81

Faronics WINSelect Hardcoded Credentials / Bad Permissions / Unhashed Password

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20240624-0 >
=======================================================================
title: Multiple Vulnerabilities allowing complete bypass
product: Faronics WINSelect (Standard + Enterprise)
vulnerable version: <8.30.xx.903
fixed version: 8.30.xx.903
CVE number: CVE-2024-36495, CVE-2024-36496, CVE-2024-36497
impact: high
homepage: https://www.faronics.com/products/winselect
found: 2024-02-01
by: Daniel Hirschberger (Office Bochum)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Eviden business
Europe | Asia

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"WINSelect - Allows you to easily control your end-users' Windows Experience without
having to deal with GPOs.
Need to Prevent Data From Leaving?
Whether you're working on classified government files or the secret ingredient
for your famous lasagna, you need to protect your sensitive information from
walking out the door.

Faronics WINSelect offers the ability to disable USB ports and disk drives. Now
you can relax knowing your secrets won't be exported without your knowledge."

Source: https://www.faronics.com/products/winselect


Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)
The application saves its configuration in an encrypted file which "Everyone" has
read and write access to.


2) Hardcoded Credentials (CVE-2024-36496)
The configuration file is encrypted with a static key derived from a static five-
character password which allows an attacker to decrypt this file.


3) Unhashed Storage of Password (CVE-2024-36497)
The decrypted configuration file contains the password in cleartext which is used
to configure WINSelect. It can be used to remove the existing restrictions and
disable WINSelect entirely.

By combining these issues any local attacker can disable WINSelect.


Proof of concept:
-----------------
1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)

WINSelect Standard saves its configuration in the following file:
C:\ProgramData\WINSelect\WINSelect.wsd


Every user has read and write permissions on this file by default:
<read_write_everyone.png>

The write permission is no problem as long as WINSelect is running, because it
is locked by the process WSEngine.exe.

For WINSelect Enterprise the path for the configuration file is:
C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd


2) Hardcoded Credentials (CVE-2024-36496)
By analyzing the application via the API Monitor tool, we found that the
application uses a hardcoded five letter password, hashes it with the outdated
and broken MD5 algorithm (no salt) and uses the first five bytes as the key
for RC4. The configuration file is then encrypted with these parameters.

After starting WINSelect.exe the MD5 and RC4 algorithms are requested:
<rc4_md5.png>

When the login to the configuration of WINSelect is triggered via
CTRL+ALT+SHIFT+F8, the configuration file is decrypted.
<login.png>

The hardcoded password "Kunal" is hashed.
<hash_input.png>
<hash_output.png>

The first five bytes of the hash are used to instantiate a key object.
<key.png>

The configuration is then decrypted with this key.
<decrypted.jpeg>

To simplify this proof of concept the following python script was developed
which automatically decrypts an encrypted WINSelect.wsd:
<test.py>


3) Unhashed Storage of Password (CVE-2024-36497)
By decrypting the configuration file, the used password can be extracted at the
beginning of the file:

---
<?xml version="1.0"?>
<KIOSK>
<SECTIONS>
<SECTION>
<SID>194</SID><!--S_ID_ADMIN_PASS-->
<RULES>
<RULE>
<ID>121</ID><!--R_ID_PROTECTION_ON_OFF-->
<ENABLED>1</ENABLED>
</RULE>
<RULE>
<ID>148</ID><!--R_ID_PROTECTION_ON_OFF_ADMIN-->
<ENABLED>1</ENABLED>
</RULE>
<RULE>
<ID>116</ID><!--R_ID_ADMIN_PASS-->
<ENABLED>1</ENABLED>
<DATA>
<PASSWORDSET>0</PASSWORDSET>
<ADMINPASSWORD>myadminpw</ADMINPASSWORD>
</DATA>
---

Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 8.22.1112.886


Vendor contact timeline:
------------------------
2024-02-19: Contacting vendor through support@faronics.com and
customerservice@faronics.com
2024-02-20: Vendor responds with an email address to which we shall send the
advisory.
2024-02-20: Asking for encryption, vendor requests unencrypted communication,
submitting advisory.
2024-02-21: Vendor confirms receipt, engaged with product and development teams.
2024-02-27: Vendor introduces additional contact, will coordinate further responses.
2024-03-13: Additional contact apologizes for delayed response, vulnerabilities
already discussed internally. Asks for extension of release.
2024-03-14: Extending advisory release to coordinate with patch.
2024-04-10: Vendor has addressed the reported issues in a test build for the
standard version, enterprise fixes will be incorporated soon.
2024-04-18: Giving feedback that the issue is still exploitable, proposing a
better hash function and random UUID, linking to OWASP password storage
cheat sheet.
2024-04-21: Vendor thanks us for the proposed fix, current patch must be released, but
working on new version incorporating our feedback.
2024-04-23: Providing further feedback, especially regarding GPU attacks.
2024-05-27: Asking for a status update.
2024-05-29: Vendor's last email got stuck in their mailbox. The latest WINSelect patch
was released in early May, now incorporates PBKDF2. Provides release notes
and download URL.
Reserving CVE numbers.
2024-06-10: We can confirm that the PBKDF2 is used with SHA256 and 600000 iterations
2024-06-11: Since the hardcoded password for the encryption is not fixed, we ask if
this will be addressed as well.
Vendor responds that this will be addressed in a future release.
2024-06-24: Coordinated release of security advisory.


Solution:
---------
The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded
from the following URL:
https://www.faronics.com/document-library/document/download-winselect-standard

The vendor provided the following changelog:
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2024
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close