Headline
CVE-2022-30018: MxCC_Credential-Storage_issue/MxCC_improper_credential_storage at main · PurplePetrus/MxCC_Credential-Storage_issue
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations.
Permalink
1 contributor
Users who have contributed to this file
######################################
MxCC passwords exposed in MxCC.ini file
######################################
Software: Mobotix Control Center (MxCC)
Version: 2.5.4.5 and before
Summary:
--------
In the config file created by MxCC, when saving the config, the passwords are stored in base64 format.
This format can easily be reversed and passwords become visible in cleartext.
It concerns following passwords:
- Camera passwords
- MxCC Users passwords
- network share passwords
Tested in Version 2.5.4.5
Test case:
----------
*setup*
Created config with 2 users
one admin user and one regular user.
admin user with password: supersecretpassword
regular user with password: myownpassword
the config was saved and found in the appdata directory of the user.
extract of config file with user info:
--------------------------------------
* start example *
[UsersnGroups]
Group\size=2
Group\1\GroupID=0
Group\1\Name=administrators
Group\1\Comment=
Group\1\User\size=1
Group\1\User\1\UserID=0
Group\1\User\1\Name=admin
Group\1\User\1\FullName=admin
Group\1\User\1\Comment=
Group\1\User\1\Password="@ByteArray(c3VwZXJzZWNyZXRwYXNzd29yZA==)"
Group\1\User\1\GroupID=0
Group\1\User\1\AutoLogOn=0
Group\2\GroupID=1
Group\2\Name=users
Group\2\Comment=
Group\2\User\size=1
Group\2\User\1\UserID=1
Group\2\User\1\Name=user
Group\2\User\1\FullName=
Group\2\User\1\Comment=
Group\2\User\1\Password="@ByteArray(bXlvd25wYXNzd29yZA==)"
Group\2\User\1\GroupID=1
Group\2\User\1\AutoLogOn=0
Obscure=true
HighestUserID=1
HighestGroupID=1
* end of example *
As we can see in the @ByteArray we can find a base64 data string.
if we run this string in a base64 decoder we can recreate the passwords in plain text.
This for all passwords in the file.
This file is often backed up on a different location in order to recover a config when lost.
This file is also present on the workstation in order to load the config.
If this file is taken or accessed by an unauthorized person/process, this person or process can retrieve the passwords for
- all users in MxCC
- all camera login credentials
- credentials for access to share location if used for remote storage.
This could allow for practically any user with access to this workstation and access to the MxCC app to retrieve all used credentials.
Which can result in.
- Unauthorized access to Camera devices
- Privilige escalation in the context of the application MxCC
- Unauthorized access to recordings
- Unauthorized acces to networkshares