# Vuln Title: Empirum Password Obfuscation Design Flaw # Date: 20.12.2012 # Author: otr # Software Link: http://www.matrix42.com/products/workplace-automation-empirum/ # Version: 14.0 # Tested on: Windows # CVE : To be assigned # Risk: medium # Type: Privilege Escalation # Vendor: Matrix42 # STATUS: final Timeline: 2012-12-20 Flaw Discovered 2013-01-08 Vendor contacted 2013-01-14 Vendor contacted (again) 2013-02-08 Vendor contacted (again) 2013-02-13 No response from vendor 2013-02-13 Public disclosure Summary: The Empirum software from Matrix42 is prone to a trivial password recovery attack that allows users to obtain passwords encrypted with the EmpCrypt.exe. Context: Empirum is a product that featues software management and OS installation over the network. For the network installation feature Empirum uses a combination of bootp/tftp (PXE) and smb (or http/https). The Empirum server serves two hidden shares via SMB. These are EMPINST$ and CONFIGURATOR$. The two shares contain OS images, software management files and configuration files. The Empirum agent which is installed on the client workstations uses these configuration files in order to install the operating system, configure it and manage the workstation (e.g. install patches). Design Flaw: The Empirum ini configuration files on the CONFIGURATOR$ share which define several settings used by the Empirum Agent also define passwords for use in Empirum. These are the following SETUP, MD5, EIS and SYNC. The MD5 password is an unsalted raw MD5 hash of the password. The SETUP, EIS, and SYNC passwords use other obfuscation methods. The SETUP, EIS, and SYNC Passwords can be prepared by the Empirum Administator using the EmpCrypt.exe tool which is part of Empirum. It was found that sometimes all of the four password values in the configuration file are an obfuscation of the same password (it was not verified if this is always the case). The SETUP password uses a kind of obfuscation that can easily be deobfuscated using a modified EmpCrypt.exe tool. The hashing algorithms of the SETUP/EIS and SYNC passwords were not analyzed in detail, but apparently SETUP and EIS passwords are hashed passwords. For different input values they have a constant length output value. It was not verified if cryptographically secure hashing algorithms are used. SETUP passwords are not hashes (the length of the SETUP values is variable) but some form of encoding. The EmpCrypt.exe tool already contains functionality to decrypt SETUP passwords which is not exposed via the command line interface. Using a reverse engineering and binary patching it is possible to create a version of EmpCrypt.exe that decodes SETUP passwords. There may be simpler ways to archeive this e.g. an undocumented command line parameter. The decoded password can be used by an attacker to perform various attacks inside of a windows domain, as pass the hash to other systems or privilege escalations. It may also disclose internal password policies or password creation patterns. That allow the attacker to perform further password cracking. Example: Empcrypt.exe /SETUP "ABC -> copies password "*YZXZ" into clipboard EmpDecrypt.exe /SETUP "*YZXZ" -> copies "ABC" into clipboard Empcrypt to EmpDecrypt binary patch: EmpDecrypt.exe is a patched EmpCrypt.exe at the following code: loc_4020FB: mov esi, 0Fh mov [ebp+var_1C], esi mov [ebp+var_20], ebx [...] cmp [ebp+var_4F], bl jnz loc_402284 <- in the original code this was jz Or in hex encoding: # diff <(xxd -c 16 EmpCrypt.exe) <(xxd -c 16 EmpDecrypt.exe) < 0001510: 45fc 01e8 5815 0000 385d b10f 8463 0100 E...X...8]...c.. --- > 0001510: 45fc 01e8 5815 0000 385d b10f 8563 0100 E...X...8]...c.. Fix: In Windows environment the active directory and domain structure (kerberos) may be used in order to handle authentication and avoid storing weakly obfuscated passwords accessible to workstations.