-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-025 Product: Netop Remote Control Vendor: Netop Affected Version(s): 11.52, 12.11 Tested Version(s): 11.52, 12.11 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Insufficiently Protected Credentials (CWE-522) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-06-19 Solution Date: 2016-08-23 Public Disclosure: 2015-08-24 (initial security advisory) 2016-11-28 (updated security advisory) CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Netop Remote Control is a widely-used remote support software with many features. The vendor Netop describes the product as follows (see [1]): "Netop Remote Control is the most secure, trusted and scalable remote support software solution on the market today. We've been helping customers grow their enterprises with secure remote control and support for workstations, servers, embedded systems and mobile devices for 30 years. Our flexible options provide secure remote access in even the most complex enterprise environments." Due to security issues in the credentials management, an attacker with access to Netop Remote Configuration files can decrypt and extract configured password information (raw MD5 hashes) and perform efficient password guessing attacks in order to recover the corresponding cleartext passwords, for example with the use of rainbow tables (time-memory trade-off). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Netop Remote Control stores configuration data in encrypted configuration files with the file extension .ndb. The content of these files is encrypted with a hard-coded cryptographic key (XOR key) that is contained within the executable file NHSTW32.EXE. In the default configuration, administrative privileges are required in order to read these configuration files that are usually stored in an application-specific folder within the Windows ProgramData folder, for example in the following location: * %PROGRAMDATA%\Danware Data\C\Program Files (x86)\Netop\Netop Remote Control\Host Netop Remote Control password information, i.e. the configured maintenance and access password, is stored in the configuration file nhstconf.ndb as raw MD5 password hashes. Furthermore, Netop Remote Control only supports upper-case passwords with a maximum length of 16 characters (actually all passwords are padded with spaces [0x20] to the maximum password length of 16 characters), which reduces the search space for password guessing attacks significantly. Thus, an attacker with access to Netop Remote Control configuration files like nhstconf.ndb can easily decrypt its contents and perform password guessing attacks against the extracted MD5 password hashes. Due to the use of the weak cryptographic hash algorithm MD5 without many iterations and a salt, it is possible for an attacker to precompute password candidates and thus to perform more efficient dictionary attacks with the use of rainbow tables (time-memory trade-off). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH developed a proof-of-concept software tool for decrypting and extracting password information from the Netop Remote Control configuration file nhstconf.ndb. The following output exemplarily shows a successful extraction of the two MD5 password hashes for the maintenance and access password: $ ./netopcfgdecrypt.py nhstconf.ndb _____________________________________________________________ / _____ _____ _____ \ / / ___| / ___/ ___| \ | \ `--. _ _\ `--.\ `--. | | `--. \ | | |`--. \`--. \ | | /\__/ / |_| /\__/ /\__/ / | \ \____/ \__, \____/\____/ ... decrypts your configs! / \ __/ | / / |___/ __________________________________________/ / _________________/ (__) /_/ (oo) /------\/ / |____|| * || || ^^ ^^ Netop Config Decryptor v1.1 by Matthias Deeg - SySS GmbH (c) 2013-2015 [*] Decrypt Netop config file [*] Decrypted config file saved to 'nhstconf.ndb.dec' [*] MD5 password hash #1 (maintenance password): a9473ded85aa51851deb4859cdd53f98 [*] MD5 password hash #2 (access password) : de7124255c6cb70591492236b5b6f04d In this example, the maintenance password (first MD5 hash) is the empty password, as the following output shows: $ echo -n " " | md5sum a9473ded85aa51851deb4859cdd53f98 - The access password (second MD5 hash) is "S3CRET!", as the following output illustrates: $ echo -n "S3CRET! " | md5sum de7124255c6cb70591492236b5b6f04d - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The reported security issue has been fixed in a newer software version 12.50. For further information please see [4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-06-19: Vulnerability reported to vendor 2015-06-26: Reported vulnerability again as the vendor did not reply to to the first e-mail with the SySS security advisory 2015-08-24: Public release of security advisory according to the SySS Responsible Disclosure Policy 2016-07-25: Vendor notifies SySS that the reported security issue will be fixed in a new software release 2016-07-26: Asked manufacturer for further information about security fix 2016-11-10: Received further information concerning security fix 2016-11-28: Public release of updated security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Netop Remote Control Web site http://www.netop.com/remote-support.htm [2] SySS Security Advisory SYSS-2015-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-025.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] Netop Release History with security fixes http://www.netop.com/remote-support/resources/release-history.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of the SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYOG51AAoJENmkv2o0rU2rb30P/iHG7h6X/BLosRYyoGUZf5yA y5bfUIBHFzncyq+vS46UUtWAff/P4Fcc/KGMcfWp5Oc0946rLEPT8f5tGylFkKEa hMp1tPpOYB7ja9CCD6b83e5zRc8C6+V14PZH4tcxiyDuWO/9kFEASbKFy+OeDKFV cHYmDgREviwy5aA+ffwPdK+MP8lnsLFGgXQ5CRa4gg1MIQs2jP+jxsB9RUWGzLf1 LQiDVPJVA1aIdAbCACMEWCrfwTn5eO1VrTrDCZTduGhnOSo0MG/9ZDsOX2QB90oV 85qqr0Sp8shYjlxx8+mA5PlCZmJftMo8KQ5svLZLmKLLnqM+LgetZxyzu4WcTbjJ zBWTixRx90Gd6xuDtloEPiXeM4GzgJCNFMV6ENtPNXi5+UNSMUgBG0EjEw25/0a/ Fcky6jGMwHu6AKwEdtZ0SgQLP4PpsSdcmmOhOKTgB3LNvahUojOVoBS2kx41gwLB P5xNdMDxQFkfrfez3KNor2v6/AfAzCGbyP5gs1/QBmZfyfzGqzl6Q4G5AlhrewdS 72d//0BVEZnj/4qwp1rS7ke9ojGEuhPU4wK4cgwfESrQiYHD3WDRn4/9rI78co51 tjPUBaDYJIFdjoXeFgvXq291k0a5Imwga0nn5Hzcpa9orLus4ybraOPdcMbK6bl6 Fp1IEWWMeE5r8jHD8n8A =l25g -----END PGP SIGNATURE-----