RVTools

Hardcoded encryption keys in sysadmin tools

Tags — | RVTools | Categories: — lol | shitty sysadmins |

Posted at — Aug 4, 2019

Tl;dr

_RVToolsPWD is a clearly reverseable password blob, PBKDF2 used on robware and Ivan Medvedev

What

If you see this _RVToolsPWD preamble in a string, and if it also looks like Base64, it’s probably this.

rvtools https://www.robware.net/rvtools/
This thing logs into a a bunch of VMWare boxes and pulls stats
Apparently this tool is popular, as it’s mentioned on some podcast as the Number 1 tool https://blogs.vmware.com/virtualblocks/2019/03/08/vspeaking-podcast-episode-108-top-10-vmware-tools/
- Also lets you update VMWare tools
It includes a handy password ‘encryption’ utility, which can be used to presumably keep the GRC nerds at bay

To no ones surprise, it’s encryption is pretty silly, as it’s got a hardcoded password and salt. Further, to no ones surprise, the account that’d have it’s credentials ‘encrypted’ probably has more rights than it needs, so if one was to find this tool in the wild, decrypt the credentials and you’re probably going to have crazy rights on your targets VMware clusters.

The relevant code is below:

// RVToolsPasswordEncryption.FMain
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
 
private void buttonEncrypt_Click(object sender, EventArgs e)
{
    if (txtPassword.TextLength != 0)
    {
        string password = "robware";
        byte[] bytes = Encoding.Unicode.GetBytes(txtPassword.Text);
        using (Aes aes = Aes.Create())
        {
            Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, new byte[13]
            {
                73,
                118,
                97,
                110,
                32,
                77,
                101,
                100,
                118,
                101,
                100,
                101,
                118
            });
            aes.Key = rfc2898DeriveBytes.GetBytes(32);
            aes.IV = rfc2898DeriveBytes.GetBytes(16);
            using (MemoryStream memoryStream = new MemoryStream())
            {
                using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateEncryptor(), CryptoStreamMode.Write))
                {
                    cryptoStream.Write(bytes, 0, bytes.Length);
                    cryptoStream.Close();
                }
                txtEncryptedPassword.Text = "_RVToolsPWD" + Convert.ToBase64String(memoryStream.ToArray());
            }
        }
    }
}

Also, the salt appears to decode to Ivan Medvedev - which makes one wonder if the code was just copy-pasted off a github gist somewhere. It probably isn’t the actual https://www.linkedin.com/in/ivanmed