CEMLink 6 suffers from having unrestricted WSDL service access and a weak mechanism for password storage.
52fe0bdeec2533e61add0b221c0b0bac# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Exploit Title: CEMLink6 multiple vulnerabilities
# Date Reported to vendor: 8/2/2017
# Vendor never replied
# Exploit Author: [email protected]
# Vendor Homepage: http://www.vimtechnologies.com/cemlink-6.html
# Version: CEMLink6
# Tested on: Windows 7
# CVSS2 Vector: ((AV:A/AC:L/Au:S/C:C/I:C/A:C)
# CVSS2 Score: 7.4
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
According to VIM Technologies: "CEMLink 6 has revolutionized the data collection and reporting industry by providing an unprecedented level of tools"
CEMLink6 is an Industry leading data acqusition and heavily used in CEMENT industries and petrochemical and refining companies
==================================================== Vulnerability description and Proof of concept =============================================================
1st Vulnerability - Unrestricted WSDL Service Access
The CEMLink6 thick client application interacts with the WSDL server through the URL: http://Server/CEMLinkServiceGateway/. These services are nota adequetly protected since any authenticated to the CEMLink6 application network user can access and interact with them retrieving any database stored information including usernames and passwords.
2nd Vulnerability - Decrypt any encrypted password
The authentication mechanism of the CemLink6 thick client application is designed in an insecure manner, allowing full recovery of the cleartext equivalent of any user password.
Specifically, when a user logins to CemLink6 the application uses AES-256 to encrypt the password supplied by the user into a ciphertext, which is then transferred over the network to the server for verification. However, the current implementation has a number of security design vulnerabilities.
First, it is not recommended to use reversible encryption for password storage and/ or transmission. Due to the nature of these encryption ciphers, an attacker with access to the ciphertext may be in a position to decrypt it.
Second, if the application for some reason is required to have access to the password plaintext and as such encryption with a reversible cipher is necessitated, it is recommended that a secure password derivation mechanism is used. In the specific case we identi-fied that the application uses two static strings, a password and a salt, to derive the encryption key, with which it performs encryption of the cleartext password. This results in the same encryption key derived each and every time. An attacker with knowledge of the key would be in a position to fully decrypt the usersa password. This issue, in combination with the fact that the application doesn't apply strong binary protection mechanisms, allows an attacker to recover the plaintext password of any user account of the application.
For reference these strings are:
Static string "Password" with value: "VIM Technologies"
Static string "Salt" with value: "j28d21r14j07bMR"
It is possible by combining the specific encryption/ decryption mechanisms employed by the application, and the 1st Vulnerability to retrieve the encrypted passwords of the users and then patch the application code so as to decrypt any encrypted password, directly and retrieve the cleartext equivalent of the any given password hash.
It should be mentioned that the static strings previously mentioned are inside the CEMLink.Utilities class and defined in the StringUtilities method.