Grey bar Blue bar
Share this:

Tue, 9 Mar 2010

Decrypting Symantec BackupExec passwords

BackupExec agent is often among common services found on the internal pen tests. The agent software stores an encrypted "logon account" password in its backend MS SQL database (LoginAccounts table). These accounts include the "system logon account" which is used to run agent services and an optional number of active directory accounts that are used to access resources over the network. The following scenarios can result in access to encrypted passwords:

1- Backend MS SQL database compromise (database name is BEDB by default)

2- Access to BackupExec installation directory: A daily MS SQL backup job on BEDB database is run by BackupExec and the resulting backup file is stored as data/bedb.bak file under BackupExec installation directory. The backup file containing encrypted passwords can be restored on another system.

Encrypted passwords are 512 bytes long and the agent software decrypts them using bemsdk.dll file. The following C code can be used by to quickly decrypt the ciphers:

BackupExec decryptor

The above code has been tested with BackupExec 10.0.5484 (SP5) and should be working with other versions of BackupExec (Source code for the above program, you'll need a copy of the .dll).

Fri, 23 Jan 2009

QoW: Software Reversing and Exploitation

I've developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been coded in c and compiled by VC++ 2008. This is a three step challenge:

Step 1- Find the correct "passphrase" format to logon to the server and get the "Access Granted" message. (You may use a debugger like Ollydbg to do Live RE for this step).

Step 2- Do vulnerability research on the server software. There is at least one exploitable bug but there could be more bugs or error conditions. Try to spot a memory corruption bug and write a denial of service exploit for it.

Step3- Convert your DoS exploit to a code execution exploit to get a connect-back shell.

If you have questions on the challenge, post them here (or to behrang AT sensepost.com)

[you should be able to run the server on just about anything - bug will be exploitable even under XP-SP*]

/behrang

Mon, 29 Dec 2008

Dont look now, but it seems they broke the Interwebs again..

Those pesky hackers!

Alex Sotirov (of heap feng shui fame, famous for breaking everything from Vista, to web browsers, to facebook) and Jacob Applebaum (of cold-boot attack fame, and more importantly of "knuth is my homeboy" fame) will be talking in a few hours at the 25c3 conference in Germany and by all accounts its going to be an "Internet Breaker".

There is a fair bit of speculation on the nature of the bug (though most people some confident that its routing protocol related) and HD Moore has blogged that the pair have sought legal advice pre-publishing.

If i had to, i would take a guess at BGP too, mainly because the talk is labeled "Making the theoretical possible" which was a tagline used by the l0pht back when they were talking about shutting down the internet with BGP related attacks.

The only problem i have with all this, is that it reveals confusion over how we measure "the year" when we award pwnies.. if the talk happens on the last day (just about) of 2008.. Does it count for pwnies 09??

/mh

Thu, 11 Sep 2008

Lets hope it does better than netsec.reddit..

Introducing [http://www.reddit.com/r/ReverseEngineering/]

(like its name suggests, a reddit thats all about Code RE..)

Thu, 28 Aug 2008

Adobe APSB08-15 Patch Reversing

APSB08-15 is the latest adobe security advisory regarding a memory corruption vulnerabilty in Acrobat Reader versions <8.1.2

As expected, the advisory does not include technical details about the attack vector, So let's try to reverse the related Adobe patch to find more about this vulnerability. I'm going to use IDA 5.2 with patchdiff2 plugin (thanks to kris hint on this plug-in).

The patch is released as a MSI file. I used Greg Duncan's Less MSIèrables tool to examine the content of this patch:

Adobe has just updated the annots.api plugin file, so I should just build the IDA Database files for the old and updated annots.api files and pathdiff them. Eight matched functions in the results:

By getting the Xrefs of the first matched function and backtracing it, we get into the VTABLE setup routine for a method named "collectEmailInfo" of "Collab" object. There was nothing in Adobe JavaScript guide for this method, so by googling and reading the function code I got the below syntax:

doc.Collab.collectEmailInfo({to:"to addr",cc:"cc",bcc:"bcc",subj:"subject",msg:"msg body",...});

msg parameter seems to be a good candidate to overflow. Let's make a PDF file with the below javascript embedded in and test it:

Collab.collectEmailInfo({msg:"aaaaaa.....aaaaa"});    (32K of aaa in my case)

and here is the result:

the place where the access violation occurs was different from machine,os,state , so the chance of the successful exploitation via heap spray is low.

/behrang