TL;DR: Use of hard-coded cryptographic keys to compromise an organisation

This is a bit of a dumb bug but one worth blogging about for the wider implications.

When on engagements it is not uncommon to find applications like TotalCommander (TC) where the client thought credentials were protected because “you can quite clearly see from the config file that the password is encrypted”.

For example, the TC WebDav plugin password may appear something like this:

password=103057016033058093008079066068103106

The plugin config file is the tcwebdav.ini file in the users Roaming profile … or a copy in a backup or other store.

However, in this case the password is protected by an encryption algorithm with a key hard coded into the code, making it trivial to decrypt.

When we reported it, we got the following response:

“This isn’t a security issue: By default, Total Commander uses a master password and 256 bit AES encryption to store plugin passwords. There is a checkbox “Protect password with password manager (TC>=7.5)” which is checked by default.”

So, it would be protected if we used a master password and TotalCommander version 7.5 or above?

In the corporate world seeing out-of-date software is not uncommon and further, when you upgrade to a newer version, there is no guarantee that the new protections will be applied. In fact, the opposite is much more likely – that the new protections are not applied due to risks of breaking existing functionality.

This is the issue I have. If you are encrypting stuff in a way that has no to little actual security benefits, and on the contrary can lead to a false sense of security, why do it. Would you be comfortable knowing that the credentials for a Domain Admin are stored in a product with hard coded cryptographic keys protecting those credentials? I wouldn’t.

Testing or auditing software you use can help identify these risks so that organisations are aware of their exposures to these types of vulnerabilities and can manage the risks in accordance with their use of the products and the impact such exploitation could have on the organisation.

TotalCommander is not alone in this; we regularly see application configs protecting sensitive credentials in ways that are no more than a minor inconvenience.

Back to the TotalCommander’s WebDav plugin. How simple is it to crack I hear you ask.

1. Download the source code at https://plugins.ghisler.com/fsplugins/webdav.zip
2. Read the relevant code snippets
3. Write a script to decrypt or cut-paste the code and tweak as desired

For the example password above we could do: