Open hammad93 opened 6 months ago
hammad93
commented
6 months ago I was able to unlock the passcode contained in the key using the PGP private key from the memory dump. This is a critical exploit that needs to be patched.
All Python variables can be exploited from a memory dump.
hammad93
commented
6 months ago It doesn't necessarily require root access, just the ability to dump the memory from the process running time_crypt.
It's likely that many other software is vulnerable to this exploit.
hammad93
commented
6 months ago I used gdb to dump the memory from the service defined in the repository.
Then I used strings to see if PRIVATE_KEY was in plaintext and it was
Then I found the key in plaintext using vim
After that, I used the cryptography logic in the code and used the password defined in the keys.json
I plugged in the message into the logic and it gave me the 8 digit passcode that was meant to be secret until February 23rd, but was able to hack today.
The 8 digit passcode worked in the safe I was using for real world testing.
hammad93
commented
6 months ago hammad93
commented
3 months ago There's a module in Python's cryptography library called Fernet https://cryptography.io/en/latest/fernet/
It is also susceptible to this attack
hammad93
commented
3 months ago Ultimately, this wouldn't fix the exploit
With root access to the compute instance, I was able to do a memory dump and found the PGP private key in plain text.