Decoding Citrix IMA Datastore Password

29 May

This morning Arjan Beijer sent me an interesting link to a youtube video about obtaining the Citrix IMA Datastore password using Windbg.

The video shows a method, discovered by Denis Gundarev to obtain the IMA Datastore password. Basically he uses DSMaint.exe and set’s a breakpoint on the call to CryptUnprotectData and then reads the password from memory.

I tried to call the CryptUnprotectData API with the data read from the registry directly but this failed with error NTE_BAD_KEY_STATE, this is defined in winerror.h and it means “Key not valid for use in specified state”.

Entropy

I assumed Citrix was using an Entropy (salt) to make the decoding a little more difficult so I checked the disassembly from DSMaint with Ida Pro and it imports a function called GlobalData_GetDecryptedStrW from ImaSystem.dll:

I openend ImaSystem.dll in Ida Pro and found CryptUnprotectData in the Imports Tab:

I checked the references (Ctrl-X) and went to the one on the top of the list:

I don’t think it’s difficult to spot the Entropy here?

Code

The code needed to decrypt the password is just a few lines:

function Decrypt: String;
var
  DataOut: DATA_BLOB;
  EntropyData: DATA_BLOB;
begin
  EntropyData.cbData := Length(Entropy);
  EntropyData.pbData := @Entropy[1];

  Win32Check(CryptUnProtectData(@DataIn, nil, @EntropyData, nil, nil,
    CRYPTPROTECT_UI_FORBIDDEN, @DataOut));

  SetLength(Result, DataOut.cbData div SizeOf(Char));
  CopyMemory(@Result[1], DataOut.pbData, DataOut.cbData);
  LocalFree(DWORD_PTR(DataOut.pbData));
end;

function Decrypt: String;

var

DataOut: DATA_BLOB;

EntropyData: DATA_BLOB;

begin

EntropyData.cbData := Length(Entropy);

EntropyData.pbData := @Entropy[1];

Win32Check(CryptUnProtectData(@DataIn, nil, @EntropyData, nil, nil,

CRYPTPROTECT_UI_FORBIDDEN, @DataOut));

SetLength(Result, DataOut.cbData div SizeOf(Char));

CopyMemory(@Result[1], DataOut.pbData, DataOut.cbData);

LocalFree(DWORD_PTR(DataOut.pbData));

end;

Tool

At the bottom of this post is a downloadable tool that reads the username and password data from the registry, decrypts and displays it:

Security Breach?

But where does this leave us? Is it a security breach?

I don’t think so, since the call to CryptUnprotectData fails if we do not have Admin privileges. Further more we can read the values remotely (if we have admin privileges) but we can only decrypt it locally.

Citrix IMA DataStore Username & Password Decoder (2509 downloads)

Please consider donating something (even a small amount is ok) to support this site and my work:

Filed under: Citrix, Delphi, Programming

4 Responses for "Decoding Citrix IMA Datastore Password"

Andreas Roth May 30th, 2012 at 14:22 1
great article remko! i tried the tool but just getting: seems that L$ImaDBUsername could not converted correctly?!
Citrix IMA Username & Password Dumper v1.0 (c) Remko Weijnen 2012
Opening HKLM\Software\Citrix\IMA\DataStore
Reading value L$ImaDBUsername
L$ImaDBUsername has 164 bytes
Decrypting L$ImaDBUsername
EOSError: System Error. Code: 13.
The data is invalid
Press any key to continue
Remko May 30th, 2012 at 15:18 2
Thanks Andreas, it was a little bug in my tool. I fixed it and uploaded a new version.
Gabriele Pallassini May 31st, 2012 at 12:17 3
Great! i’m lost the sa password of a sql 2008 r2 express datastore…. thank’s!!
simon October 5th, 2015 at 14:32 4
i get the following:
Citrix IMA Username & Password Dumper v1.0 (c) Remko Weijnen 2012
Opening HKLM\Software\Citrix\IMA\DataStore
Reading value L$ImaDBUsername
L$ImaDBUsername has 188 bytes
Decrypting L$ImaDBUsername
EOSError: System Error. Code: -2146893813.
Key not valid for use in specified state
Press any key to continue
Please advise

Entries (RSS)
Comments (RSS)

Remko Weijnen's Blog (Remko's Blog)

Decoding Citrix IMA Datastore Password

Entropy

Code

Tool

Security Breach?

Related

4 Responses for "Decoding Citrix IMA Datastore Password"

Leave a reply

Profile

Top Posts

Recent Comments

Featured Downloads

Blogroll

Categories

Archives