About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
The video shows a method, discovered by Denis Gundarev to obtain the IMA Datastore password. Basically he uses DSMaint.exe and set’s a breakpoint on the call to CryptUnprotectData and then reads the password from memory.
I tried to call the CryptUnprotectData API with the data read from the registry directly but this failed with error NTE_BAD_KEY_STATE, this is defined in winerror.h and it means “Key not valid for use in specified state”.
I assumed Citrix was using an Entropy (salt) to make the decoding a little more difficult so I checked the disassembly from DSMaint with Ida Pro and it imports a function called GlobalData_GetDecryptedStrW from ImaSystem.dll:
I openend ImaSystem.dll in Ida Pro and found CryptUnprotectData in the Imports Tab:
I checked the references (Ctrl-X) and went to the one on the top of the list:
I don’t think it’s difficult to spot the Entropy here?
The code needed to decrypt the password is just a few lines:
function Decrypt: String;
EntropyData.cbData := Length(Entropy);
EntropyData.pbData := @Entropy;
Win32Check(CryptUnProtectData(@DataIn, nil, @EntropyData, nil, nil,
SetLength(Result, DataOut.cbData div SizeOf(Char));
CopyMemory(@Result, DataOut.pbData, DataOut.cbData);
At the bottom of this post is a downloadable tool that reads the username and password data from the registry, decrypts and displays it:
But where does this leave us? Is it a security breach?
I don’t think so, since the call to CryptUnprotectData fails if we do not have Admin privileges. Further more we can read the values remotely (if we have admin privileges) but we can only decrypt it locally.Citrix IMA DataStore Username & Password Decoder (1848)
.NET .NET FrameWork Active Directory Altiris Apple Automation Manager Citrix Dell Delphi Excel Exchange Exchange2003 Exchange2010 Hack HP iOS Java LinkedIn Linux Lync MSI Office Office 2010 Passat Password PowerPoint PowerShell RES RNS510 SasLibEx SCOM Security Terminal Server ThinApp TSAdminEx VBS VCDS Visual Basic Visual Studio VMWare Volkswagen VW Windows PE Wordpress XenApp