{"id":2105,"date":"2022-07-06T13:37:47","date_gmt":"2022-07-06T11:37:47","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=2105"},"modified":"2024-02-07T10:49:55","modified_gmt":"2024-02-07T09:49:55","slug":"keyshot-vulnerability","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/keyshot-vulnerability\/","title":{"rendered":"KeyShot Vulnerability"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/06\/keyshot-logo-250.png” alt=”keyshot logo” title_text=”keyshot logo” align=”center” _builder_version=”4.17.4″ _module_preset=”default” background_color=”#000000″ width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Vladimir had the opportunity to test the security of KeyShot 11.1<\/a> software during a penetration testing mission.<\/p>\n

This software, published by Luxion, is used to produce photorealistic 3D renderings in real time. It requires significant computing capacities which can be distributed on several servers thanks to KeyShot Network Rendering<\/a>.<\/p>\n

In the case of a distributed architecture, one or more managers <\/em>must be configured to manage user accounts and distribute tasks to different workers<\/em>. The end users of the software then use their local client to authenticate with the manager<\/em>and send him the tasks to be distributed.<\/p>\n

The KeyShot Network Monitoring thick client (“keyshot_network_monitor.exe”) allows users to authenticate and access the progress status of tasks and the occupation rate of workers<\/em>.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”sauvegarder” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Network protocol analysis<\/h2>\n

Clients communicate with the manager on port TCP\/4827 using a proprietary protocol. Communications are in the clear by default but TLS encryption can be configured<\/a>. During the audit in question, encryption was not enabled.<\/p>\n

The DSecBypass auditor decided to analyze the unauthenticated attack surface exposed by the manager. To do this, he used KeyShot Network Monitoring with a valid account to reverse-engineer the communications between the client and the manager.<\/p>\n

Wireshark <\/a>software was used to capture the different packets exchanged. The consultant interacted with the software, taking care to use the most important features so as to generate maximum traffic and be able to identify which sequences of bytes govern the actions.<\/p>\n

In order to isolate the packets of interest in the conversation, simply create a filter on the manager’s IP address as follows:<\/p>\n

\n

ip.addr == 192.168.1.1<\/p>\n<\/blockquote>\n

Then decode TCP stream from filtered packets:<\/p>\n

\"Wireshark<\/p>\n

A window opens and displays the characters that can be displayed, colored according to whether they are sent or received.<\/p>\n

This window is useful for following the progress of the conversation between the client and the manager. When an interesting message is discovered, simply click on it to highlight the corresponding packet in the Wireshark capture window.<\/p>\n

 <\/p>\n

\"Wireshark<\/p>\n

The screenshot above shows the package selected by clicking on the “pass” string of letters.<\/p>\n

In order to extract the message as it is, all you have to do is export the TCP data (data or payload TCP):<\/p>\n

\"\"<\/p>\n

The auditor was thus able to export the messages corresponding to the authentication, the recovery of information on the tasks in progress, the change of information of a user and other interesting actions.<\/p>\n

An important part of the analysis was to understand how the packets were formed and in what order they were sent to the manager. It is also important to analyze the manager’s responses, in the same way, in order to know if the previous message was rejected or not.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”virus” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Packet replay and forging<\/h2>\n

Once the different messages have been isolated, it may be interesting to replay and modify them.<\/p>\n

The auditor relied on the Python pwntools library<\/a>: CTF oriented, it is optimized for pwn\/reverse type challenges and allows in a few lines to interact with TCP sockets.<\/p>\n

A few bash commands are also useful:<\/p>\n

#Inspect message bytes<\/span><\/p>\n

\n
xxd fichier.bin<\/pre>\n<\/blockquote>\n
#Compare octets between two files and display offsets<\/span><\/p>\n
\n
cmp -l fichier1.bin fichier2.bin | gawk '{printf \"%08X %02X %02X\\n\", $1, strtonum(0$2), strtonum(0$3)}'<\/pre>\n<\/blockquote>\n
#Replace a series of bytes with another in a file (useful for modifying a string for example)<\/span><\/p>\n
\n
xxd -p -c 123456789 fichier.bin |sed 's\/0011002200330044\/0011003300220044\/g' | xxd -p -r > fichier2.bin<\/pre>\n<\/blockquote>\n
Identifying the bytes specifying the size of the message and the various fields is left as an exercise for the readers.<\/p>\n
The following Python script template can be used to easily send the prepared messages to the manager:<\/p>\n
\n