FooBar: Untangling the DB Role Password

Security by Obscurity Series

December 16, 2019 by Matt in /Programming with No Comments

My day-to-day work forces me to work with one of those "enterprise" applications for Windows -- we'll call it FooBar from here on out -- that leaves you feeling like you've had an ice pick driven into the more intelligent areas of your brain. Since I'm often out and about I'd prefer to have a copy of certain records with me to refer to in the field; I don't need everything with me to do my job, but being able to cart around the history of a specific location would be very helpful. FooBar isn't accessible in the field without going through an authentication process that involves a goat and a few uncouth contortions so I have little desire to try using it as designed unless seated firmly before my desk.

FooBar defines the connections to databases in an XML file stored on the desktop computer and we "login" to the application using our Microsoft domain username and password (this happens to be the same as our desktop login). Having obtained the database server and connection name from the XML file I proceeded to login to the database and have a look-see.

It turns out that there isn't much to peruse as FooBar uses a second form of authentication for access through what is known as an Application Role. The password for this particular role is helpfully recorded in another XML file however it is stored as a Base64 encoded string which, when decoded to UTF-8, returns a set of the most unholy characters you've ever laid your eyes on: the decoded string is encrypted.

Taking a peek at the DLL files that make up FooBar, I noticed that the program database files were distributed with the libraries. Guessing that FooBar might have been written in .NET, I fired up ILSpy, a .NET decompiler and began sifting through the more likely DLLs. Fortunately the authors were kind enough to give their files readable names so it didn't take long to hone in on the correct files; as luck would have it, the decompiled code responsible for parsing the role XML file referred to an encryption helper routine that identified the algorithm (AES), encryption key and initialization vector.

From this it took me all of the following five lines of Tcl to decrypt and return the password (the actual password, key and IV have been changed, of course, and the example below won't work as the key and IV sizes are incompatible with the AES algorithm).

package require aes
set _password "cGFzc3dvcmQ="
set _key {1 2 3 4 5}
set _iv {6 7 8 9 10}
puts [aes::aes -mode cbc -dir decrypt -key [binary format c* ] -iv [binary format c* ] [binary decode base64 ]]

This fun little exercise served as a good reminder as to why it's a bad idea to encode encryption keys in application code. It doesn't provide any greater security to local applications and in most cases, is a poor second cousin to properly designed authenticaton channels.

Reverse Engineering Dell iDRAC 7/8

February 18, 2019 by Matt in /Firmware with No Comments

I came across this project on Github that contains source code for achieving undetectable root + loading of arbitrary code on Dell IDRAC7 & IDRAC8 IPMI/BMC server hardware. Although this doesn't work with previous versions of iDRAC that I've written about (v6), the techniques used to adjust the firmware images are applicable.

This work got plenty of attention: ServeTheHome, The Register and AnandTech all wrote about this BMC vulnerability. Dell's own publication of CVE-2018-15774 and CVE-2018-15776 addresses the affected iDRAC releases and specifically mentions that iDRAC systems should not be publicly available.


I won't comment further on this issue since it's already covered well enough in the above links. Just thought I'd mention it here briefly in case someone was looking for ways to take control over their own iDRAC systems.

The Web We Lost

February 17, 2019 by Matt in /Reflections with No Comments

For some time now I've been thinking about the The Web We Lost. I'm certainly not the first person to be commenting on this epoch: Anil Dash has some very cogent points on the matter as have others. The lost web doesn't only refer to the infrastructure or systems that enabled "open computing" (the idea that anyone could exercise the power of content creation or effect control over their own systems and data), but also the missing building blocks that should have been but weren't.

Instead of walled off corporate gardens like Facebook, Google, Twitter or any of the other behemoths that offer little but take much, wikis are probably some of the best examples of how the Internet should have been. Technologies like Gopher, though not entirely dead, were left in the dust in our pursuit of flash, convenience and the almighty dollar. Somewhere along the way we lost the ability to exert our will over the technology we use and sadly, our lack of interest and attention have resulted people using Facebook as a news source of all things. Read this interview with Noam Chomsky if you want to understand just how influential a "news source" can be.

The blame for the current state of the web can perhaps be laid at the feet of high school educators. I know this sounds absurd at first, so you'll have to bear with me for a minute while I explain. The high school years are crucial for young people who are beginning to develop a "world view" that moves beyond being merely passive actors on the global stage. With electronic technology the ever pervasive medium for facilitating communication, forming communities and consuming news, it is more important than ever that young people be taught how to navigate such technology and understand the consequences involved. How much more difficult would it be for tyrants, governments and CEOs to effect their plans if citizens were more enlightened and aware of how technology can be used against them, and how they can empower change by being in control of their technology. Sadly, few courses are available for young people during these formative years and even fewer are the educators who really understand what is at stake.

All is not lost, though. The first steps to asserting your control over the web can be taken by learning how to self-publish.

How does one self-publish?

You can send email. For anything more complicated than "please pick up some eggs", it's still the best way to communicate one-on-one or one-to-many.

You can create free, fast web pages through A txti page uses Markdown to format the page. It's not difficult to use.

You can start a wiki with some free software like TiddlyWiki or WikidPad.

You can start a blog with or any of the other free blogging platforms.

The next steps might be Beyond the Web.

Reverse Engineering Dell iDRAC6 Express: Fan Control

Part II: The Silence of the Fans

November 05, 2017 by Matt in /Firmware with 5 Comments

As previously mentioned, the Dell PowerEdge T710's stock Pulse Width Modulated (PWM) fans are controlled by the iDRAC6 & BMC firmware data files. I haven't had time to properly address these components but luckily there is another quick method that we can use to silence the stock fans. Later on I also tried swapping out the stock fans (YouTube video) with much quieter Arctic F9 PWM models but this introduced other problems.

Read More

Reverse Engineering Dell iDRAC6 Express: Fan Control

Part I: Accessing the Root User

November 02, 2017 by Matt in /Firmware with 2 Comments

I have an aging Dell T710 that I bought a number of years ago. I use it to offload long running processes, handle file sharing, shared services, jails and so on. It's been running FreeBSD for a couple of years since I moved away from Linux.

Like most server-class hardware this tower is particularly loud. Dell shipped it with pulse width modulated fans that are anything but quiet and thanks to the iDRAC6 Express software that runs on a WPCM450 integrated baseboard management controller (BMC) the fan control & throttling makes it sound like a jet is taking off. That's fine if you have somewhere to put it but we've moved to a small apartment and it has to sit in our office. As we're fans of hearing ourselves think (pun intended) I needed some way to wrestle control away from the default iDRAC firmware.

The WPCM450 runs a version of Busybox Linux on an ARM processor. As you would expect, Dell has heavily customized this software and provides access to it via a web interface, Telnet, SSH, RAC, IPMI or Serial interface to RAC/IPMI. None of these options offer the controls we're looking for and the SSH/Telnet options are locked down to the iDRAC SM-CLP command line interface. In short, Dell has turned an otherwise very useful out-of-band management tool into a glorified toaster oven.

Previous versions of the Dell BMC have been reverse engineered by others however the Dell T710 is an 11th generation server so sadly we can't use those methods.

Read More