Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-27688 PoC — Robware RVTools PasswordEncryption 安全漏洞

Source
https://github.com/matthiasmaes/CVE-2020-27688
Associated Vulnerability
Title:Robware RVTools PasswordEncryption 安全漏洞 (CVE-2020-27688)
Description:RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances.
Description
CVE-2020-27688
Readme
# CVE-2020-27688

## Introduction
RVTools is an application developed by [Robware.net](https://www.robware.net/rvtools/) and is written in .NET 4.6.1. It interacts with vSphere enviroments to extract information in a CSV or XLSX format. It can be run through an GUI or using an input CSV File in which the information is stored to connect to the vSphere environment. The password in the CSV file is encrypted using a proprietary encryption application. The encrypted password can be identified by the "\_RVTools" prefix.

## Affected versions
<= 4.0.6

## Vulnerability
The encryption is configured using a static IV and KEY, using reverse engineering techiques it is possible to extract this IV and KEY. These values can be used to decrypt the password used in the configuration files.

## POC
This repository contains the .NET code to decrypt the encrypted password using the static IV and KEY.
File Snapshot

 [4.0K]  /data/pocs/b3482cfeb041d84ca991f5469d3fefe4112c683b
├── [1.0K]  LICENSE
├── [ 897]  README.md
└── [4.0K]  RVToolDecryptor
    ├── [4.0K]  RVToolDecryptor
    │   ├── [4.0K]  bin
    │   │   └── [4.0K]  Debug
    │   │       └── [4.0K]  netcoreapp3.1
    │   │           ├── [ 415]  RVToolDecryptor.deps.json
    │   │           ├── [6.5K]  RVToolDecryptor.dll
    │   │           ├── [170K]  RVToolDecryptor.exe
    │   │           ├── [9.6K]  RVToolDecryptor.pdb
    │   │           ├── [ 179]  RVToolDecryptor.runtimeconfig.dev.json
    │   │           └── [ 146]  RVToolDecryptor.runtimeconfig.json
    │   ├── [2.7K]  Decyptor.cs
    │   ├── [4.0K]  obj
    │   │   ├── [4.0K]  Debug
    │   │   │   └── [4.0K]  netcoreapp3.1
    │   │   │       ├── [ 995]  RVToolDecryptor.AssemblyInfo.cs
    │   │   │       ├── [  41]  RVToolDecryptor.AssemblyInfoInputs.cache
    │   │   │       ├── [ 146]  RVToolDecryptor.assets.cache
    │   │   │       ├── [ 424]  RVToolDecryptor.csprojAssemblyReference.cache
    │   │   │       ├── [  41]  RVToolDecryptor.csproj.CoreCompileInputs.cache
    │   │   │       ├── [1.5K]  RVToolDecryptor.csproj.FileListAbsolute.txt
    │   │   │       ├── [6.5K]  RVToolDecryptor.dll
    │   │   │       ├── [170K]  RVToolDecryptor.exe
    │   │   │       ├── [  41]  RVToolDecryptor.genruntimeconfig.cache
    │   │   │       └── [9.6K]  RVToolDecryptor.pdb
    │   │   ├── [1.9K]  project.assets.json
    │   │   ├── [ 328]  project.nuget.cache
    │   │   ├── [2.1K]  RVToolDecryptor.csproj.nuget.dgspec.json
    │   │   ├── [1.3K]  RVToolDecryptor.csproj.nuget.g.props
    │   │   └── [ 289]  RVToolDecryptor.csproj.nuget.g.targets
    │   └── [ 170]  RVToolDecryptor.csproj
    └── [1.1K]  RVToolDecryptor.sln

8 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →