Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
MxCC_Credential-Storage_issue/MxCC_improper_credential_storage
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
89 lines (68 sloc)
2.44 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################################### | |
| MxCC passwords exposed in MxCC.ini file | |
| ###################################### | |
| Software: Mobotix Control Center (MxCC) | |
| Version: 2.5.4.5 and before | |
| Summary: | |
| -------- | |
| In the config file created by MxCC, when saving the config, the passwords are stored in base64 format. | |
| This format can easily be reversed and passwords become visible in cleartext. | |
| It concerns following passwords: | |
| - Camera passwords | |
| - MxCC Users passwords | |
| - network share passwords | |
| Tested in Version 2.5.4.5 | |
| Test case: | |
| ---------- | |
| *setup* | |
| Created config with 2 users | |
| one admin user and one regular user. | |
| admin user with password: supersecretpassword | |
| regular user with password: myownpassword | |
| the config was saved and found in the appdata directory of the user. | |
| extract of config file with user info: | |
| -------------------------------------- | |
| * start example * | |
| [UsersnGroups] | |
| Group\size=2 | |
| Group\1\GroupID=0 | |
| Group\1\Name=administrators | |
| Group\1\Comment= | |
| Group\1\User\size=1 | |
| Group\1\User\1\UserID=0 | |
| Group\1\User\1\Name=admin | |
| Group\1\User\1\FullName=admin | |
| Group\1\User\1\Comment= | |
| Group\1\User\1\Password="@ByteArray(c3VwZXJzZWNyZXRwYXNzd29yZA==)" | |
| Group\1\User\1\GroupID=0 | |
| Group\1\User\1\AutoLogOn=0 | |
| Group\2\GroupID=1 | |
| Group\2\Name=users | |
| Group\2\Comment= | |
| Group\2\User\size=1 | |
| Group\2\User\1\UserID=1 | |
| Group\2\User\1\Name=user | |
| Group\2\User\1\FullName= | |
| Group\2\User\1\Comment= | |
| Group\2\User\1\Password="@ByteArray(bXlvd25wYXNzd29yZA==)" | |
| Group\2\User\1\GroupID=1 | |
| Group\2\User\1\AutoLogOn=0 | |
| Obscure=true | |
| HighestUserID=1 | |
| HighestGroupID=1 | |
| * end of example * | |
| As we can see in the @ByteArray we can find a base64 data string. | |
| if we run this string in a base64 decoder we can recreate the passwords in plain text. | |
| This for all passwords in the file. | |
| This file is often backed up on a different location in order to recover a config when lost. | |
| This file is also present on the workstation in order to load the config. | |
| If this file is taken or accessed by an unauthorized person/process, this person or process can retrieve the passwords for | |
| - all users in MxCC | |
| - all camera login credentials | |
| - credentials for access to share location if used for remote storage. | |
| This could allow for practically any user with access to this workstation and access to the MxCC app to retrieve all used credentials. | |
| Which can result in. | |
| - Unauthorized access to Camera devices | |
| - Privilige escalation in the context of the application MxCC | |
| - Unauthorized access to recordings | |
| - Unauthorized acces to networkshares |