Tool only works up to Version 8.9 - Build 8903

NorthwaveSecurity / passwordstate-decryptor

PowerShell script that decrypts password entries from a Passwordstate server.

24 stars 5 forks source link

Tool only works up to Version 8.9 - Build 8903 #1

Closed n00py closed 1 year ago

n00py commented 3 years ago

Screen Shot 2021-04-15 at 11 19 42 PM

Looks like they modified the crypto. Not a bug with your tool, just an FYI for anyone else trying to use it.

RobertDiep commented 3 years ago

Aye, thanks for figuring that out! I was wondering why it didn't work anymore during a recent engagement, but never got around to actually look into why.

I'll update the README with your info.

n00py commented 3 years ago

Yeah. I spendt the last few days trying to figure it out (to no success). It seems that the secrets are still in the same places, but the algorithm has changed somehow, and the password.exe binary is obfuscated.

RobertDiep commented 3 years ago

I'll leave this issue open for now until someone manages to reverse engineer the new algorithm or I find the time to dive into it.

n00py commented 3 years ago

Here's an easy way to do it, credit to unknown cyber criminals:

https://lordx64.medium.com/initial-analysis-of-passwordstate-supply-chain-attack-backdoor-code-aaff1df389e4

hax

Looks like they load the PasswordState .NET assembly already on disk and scoop out the AES_Decrypt method.

raithedavion commented 2 years ago

I've been able to do it that way using the 8.9.9.5 executable, but after version 9, everything is obfuscated and you can't do that anymore. I haven't been able to de-obfuscate it, or find where the code is. Dnspy/ilSpy just show the methods returning null.

parzel commented 1 year ago

Hi all! We were able to make this tool work again, the encryption key is actually the same as before but will be reversed before usage now. We published it in an advisory about some other issues we encountered with Passwordstate: https://www.modzero.com/static/MZ-22-03_Passwordstate_Security_Disclosure_Report-v1.0.pdf

raithedavion commented 1 year ago

I can confirm Parzel's comment. Just made the changes locally and whala. To think all they did was reverse the stupid encryption key v_v;

RobertDiep commented 1 year ago

Great work @parzel! Feel free to submit a PR if you want to include this in the script. If not, I'll see when I have some time to incorporate it. In the meantime I will add a note to the README for newer versions.

parzel commented 1 year ago

Thanks @RobertDiep. I have created a PR, would be great if someone could verify it is working correctly as I do not have access to an installed instance right now. Feel free to change it if you think there is an easier way to integrate the change.

RobertDiep commented 1 year ago

resolved in 9a0dfbf39873e20156dfb5c60db6ecfce52e53a5 with many thanks to the people at modzero (and specifically @parzel)!