Hardcoded encryption keys in sysadmin tools
_RVToolsPWD is a clearly reverseable password blob, PBKDF2 used on robware
and Ivan Medvedev
If you see this _RVToolsPWD
preamble in a string, and if it also looks like Base64, it’s probably this.
To no ones surprise, it’s encryption is pretty silly, as it’s got a hardcoded password and salt. Further, to no ones surprise, the account that’d have it’s credentials ‘encrypted’ probably has more rights than it needs, so if one was to find this tool in the wild, decrypt the credentials and you’re probably going to have crazy rights on your targets VMware clusters.
The relevant code is below:
// RVToolsPasswordEncryption.FMain
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
private void buttonEncrypt_Click(object sender, EventArgs e)
{
if (txtPassword.TextLength != 0)
{
string password = "robware";
byte[] bytes = Encoding.Unicode.GetBytes(txtPassword.Text);
using (Aes aes = Aes.Create())
{
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, new byte[13]
{
73,
118,
97,
110,
32,
77,
101,
100,
118,
101,
100,
101,
118
});
aes.Key = rfc2898DeriveBytes.GetBytes(32);
aes.IV = rfc2898DeriveBytes.GetBytes(16);
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateEncryptor(), CryptoStreamMode.Write))
{
cryptoStream.Write(bytes, 0, bytes.Length);
cryptoStream.Close();
}
txtEncryptedPassword.Text = "_RVToolsPWD" + Convert.ToBase64String(memoryStream.ToArray());
}
}
}
}
Also, the salt appears to decode to Ivan Medvedev
- which makes one wonder if the code was just copy-pasted off a github gist somewhere. It probably isn’t the actual https://www.linkedin.com/in/ivanmed