The portald daemon (WatchGuard Authentication Portal) contains a hardcoded Fernet symmetric encryption key embedded directly in compiled Python bytecode. This key is used to encrypt Clientless VPN user credentials (usernames and passwords) stored on disk. Because the key is static and identical across all Firebox deployments, any attacker who obtains the credentials file can trivially decrypt its contents — without knowing any device-specific secret. Below you'll find the details...
Today we'll start here:
Attack Scenarios
1. Local Privilege Escalation / Post-Exploitation
- Attacker gains limited shell access to Firebox (e.g., via other vulnerability)
- Reads /tmp/portald_data/credentials (world-readable or accessible to attacker process)
- Decrypts using hardcoded key — obtains all stored Clientless VPN user passwords
- Passwords may reuse credentials for internal services, AD accounts, etc.
2. Firmware / VMDK Extraction
- Attacker extracts VMDK or firmware image (physical access or backup theft)
- Mounts filesystem, retrieves both portald_plugin.pyc and credentials file
- Hardcoded key extracted from .pyc bytecode (co_consts — trivial)
- Offline decryption yields all credentials without any further authentication
3. Cluster Environment Amplification
- In cluster mode, update_key_for_cluster() derives key from selfsignedClient.wg
- BUT: if that file is unavailable (race condition, error, single-node), hardcoded key is used
- Credentials encrypted with device-specific key on cluster master may be decryptable on member nodes if hardcoded key was used at any point
Timeline
Full report is available here.
More
You can find more and support me at:
- https://code610.blogspot.com
- https://www.patreon.com/cw/code610proton
Currently I’m looking for a job:
- https://code610.blogspot.com/p/contact.html
Cheers
Brak komentarzy:
Prześlij komentarz