February 28, 2005
Hat-Squad Advisory: GFI L.N.S.S 5.0- Insecure Credential Storage
Product: GFI Languard Network Security Scanner
Vendor Url: http://gfi.com/
Version: 5.0
Vulnerability: Insecure Credential Storage
Release Date: February 28, 2005
Vendor Status:
Informed on 22 February 2005
Response: 22 February 2005
Released: 28 February 2005
Overview:
GFI L.N.S.S is vulnerability scanner that helps administrators to identify
security holes in their networked systems . This product has also a built-in
patch management solution to deploy missing patches on detected vulnerable
systems .
In order to remotely deploy patches, the user should provide enough credentials
for the L.N.S.S to authenticate itself with remote system in order to install
patches. An administrative level privilege is needed to install patches on
remote systems.
As L.N.S.S is usually used in domain environments, the account prepared for
L.N.S.S is usually a member of "Domain Admins" group or a similar high
privileged group which have complete control over all members of domain.
Product provided two options for privileged scanning and deployment "currently
logged-on user" and "Alternative Credentials". Hopefully in order to save typos
GFI save the entered password for you in "Alternative Credentials" mode there
is also another option in L.N.S.S to save scan reports to a MS-SQL server .
Here again you should provide and account on MS-SQL server for the application .
A weakness were discovered in this product that make it possible to dump the
saved credentials INSTANTLY and without any offline attack to recover saved
credentials which is a domain username and password in this case.
Problem:
Each time the L.N.S.S process ( lnss.exe ) is loaded to do scan or deployment
job by use of saved credentials , it's possible to read saved username &
password instantly from the memory space of the process, because L.N.S.S load
them in memory as clear-text strings . By use of a simple-short code it's
possible to dump both MS-SQL and DOMAIN username/passwords from local system .
Notice that in order to access memory space of lnss process you should have
enough privileges (usually local admin).
Although it makes the attack vector more limited, but does not reduce the risk
level of this weakness because the attacker gains access to a domain-admin
level account password in CLEAR-TEXT by use of a locally Privileged account .
This could be used by a malicious code or by use of another remote
vulnerability in the system.
Exploit:
Use your custom memory-dump code or any provided tool to dump memory space of
the process.
"Prosess Memory Dumper" code provided by KD-TEAM (
http://www.kd-team.com/tools/MemPDump.kd_team.rar )
can be easily customised to complete our mission . greets to DiabloHorn ;)
Vendor Response:
Vendor has been notified for this weakness , and they confirmed it . but till
time
they did not provided any patch or workaround for this weakness .
Workaround :
GFI should fix their code ASAP , and use encryption . but till that :
* Do NOT run the LNSS process in low privilaged accounts ( GFI's default is run
as SYSTEM , keep it )
* Do NOT save your password ( at least domain-account used for scan ) in
application.
* Try NOT to use "Alternative Credentials" mode while using LNSS.
Credits:
This Vulnerability has been discovered by Seyed Hamid
Kashfi(hamid@hat-squad.com)
The original advisory could be found at: http://www.hat-squad.com/en/000160.html
