A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal.
So, within a few minutes I found all of the details – and none of them make me feel any better. Here are the important bits:
- Encrypted with Triple DES in ECB mode.
- IV isn’t being set.
- Encryption key is hardcoded.
This means that all users have the same, publicly documented encryption key protecting their password. What’s the key? It’s ugfpV1dMC5jyJtqwVAfTpHkxqJ0+E0ae in Base64 encoding – and thanks to this, it’s trivial to write code to reverse the “protection” and make the credentials (which may well be domain credentials) available to anyone with access to the user’s profile.
So, that’s what I did. This is simple code that will scan a machine looking for Spark configuration files (named spark.properties) and checks each to see if a password can be extracted. You can also pass in a NetBIOS name, and it will attempt to use the administrative share (C$) to access the profiles on the system. Take a look at the README for more details.
The saving grace here, is that you have to have access to the user profiles, so if a system is locked down thoroughly, you likely won’t make much progress. But if you can get a local administrator account to run this from – it may make a pentest go a little quicker.
I’ve tried to find a way to disable the ‘Save Password’ feature, but it seems that the only option was to patch the source. If you are using Spark within your environment, I strongly recommend that you carefully consider how it’s used and integrated with AD or other systems.
(See here for another issue discovered during this research; Updates over HTTP & Command Execution.)
PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go.
For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments.
…or “Crypto Is Hard, Vol. 479”
Earlier today a tweet about a new feature for oclHashcat-plus started a truly interesting debate on Twitter over the implications. The new feature is the ability to crack 1Password keychain files – at an impressive 3 million passwords per second.
Support added to crack 1Password to oclHashcat-plus, 100% computed on GPU! Plus I found an exploitable design flaw http://t.co/53ZtWggsDz — hashcat (@hashcat) April 16, 2013 To achieve this speed, two optimizations were used – the first is in precomputing ipad and opad for SHA1-HMAC, this effectively cuts the number of SHA1 calls in half.
As Shapchat has increased in popularity, I’ve been asked several times to revisit my Snapchat API & Security post, to address the changes that they made in response to my complaints. So, here is it – sorta.
I started making detailed notes and looking at the changes they made – but yesterday @tlack made that mostly irrelevant with his release of Snaphax, a PHP library to interact with the undocumented Shapchat API.
Huge PGP files, an ancient version of PGP, and errors every time they tried to decrypt a file – that was my completely unexpected challenge on Friday. Dealing with file processing issues really isn’t part of my job description, but I’m the closest thing my company has to an expert when it comes to encryption, so the task fell to me.
After looking at the options and issues to get the server upgraded to a non-stone-age version of the PGP software, the easiest answer looked like decrypting the files with GPG – it wasn’t as easy as expected, but I did get some useful information that may help others.
A few days ago, 1Password (my employer) released the first preview of the new application for macOS. The response has been rather dramatic. The release was followed by an excellent blog post by Michael Fey explaining the story of how we got here, and some of the decisions that were made in the process.
I’d like to now to a few minutes to answer some questions, provide some insight, and share my thoughts on this release.
