Vulnerability Disclosure -Hardcoded Keys/Password @ Zoho R.A.P.

Hardcoded Keys

Status: Fixed (As on 27-Aug-2021)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 5.5 (Medium Severity)

Fixed version: 10.1.2121.1 (Change log)

CVE-2021–41827, CVE-2021–41828

Impacted Component: Remote Access Plus (RAP) Server (Desktop App)

Vulnerability Description: It was observed that the Zoho remote access plus uses hardcoded password/key for multiple items. Credentials are hardcoded within the source code, which can be reverse engineered very easily (DCBackupRestore Jar file present within lib).

Impact rational: Amongst all the hardcoded values, one of them being DB connection string password was found. Where the DB contains all sensitive info like server config, deployed agent config., all enterprise system/user details, all other system info., their vulnerability/patch status, user accounts, keys and many other details.

It was also observed that resetPWD.xml within bin file contains fixed password and weak fixed salt value. The product is also vulnerable to Improper file permission, which makes it possible for anyone to read the file.

Exploitability rational:

Since it is hardcoded value, which remains same across all installations, finding password/key doesn’t need system access and can be harvested from anywhere (and the app is easily downloadable over the internet). Moreover, static/hardcoded values are one of the most hazardous vulnerabilities which can be found via R.E. in managed/unmanaged code. However, it is to be noted that this ‘medc’ user of DB has been granted viewonly permission, so add/edit/delete operations cannot be performed. Also the postgres is made to listen internally (but has provision to listen all interface as well).

Steps to Reproduce & Supportive Evidence:

RE of the un-obfuscated code give you the details. (DCBackupRestore Jar file present within lib, can be opened in tools like JDGui)

POC Showing Hardcoded credential found within Jar file and then using that connecting to DB

Hardcoded creds, salt for reset password file

DBBackup Pasword obtained via RE of the Jar file

Recommendation:

1. SecureRandom function can be used to generate credentials on the first time of installation to have different creds. across all installations.
2. For storage prefer vault / seek user input there by via PBKDF2 encrypt / Leveraging on Windows Auth. For connection string rely on filesystem ACL in worst case.