漏洞描述
Ensure the "Store passwords using reversible encryption" policy is set to Disabled. If enabled, it can allow stored passwords to be retrieved in plaintext, posing a serious security risk.
password-cleartext-encryption: Store Passwords Using Reversible Encryption Check
PoC代码[已公开]
id: password-cleartext-encryption
info:
name: Store Passwords Using Reversible Encryption Check
author: nukunga[SungHyunJeon]
severity: medium
description: |
Ensure the "Store passwords using reversible encryption" policy is set to Disabled. If enabled, it can allow stored passwords to be retrieved in plaintext, posing a serious security risk.
impact: |
If this setting is enabled, attackers could potentially recover user passwords, leading to unauthorized access and compromise of network resources.
remediation: |
Disable this policy using one of the following methods:
- Command Line: Export the security configuration, set ClearTextPassword=0, and reapply it using secedit.
- GUI: Open Local Security Policy → Account Policies → Password Policy → "Store passwords using reversible encryption" and set it to Disabled.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: code,windows-audit,kisa,account-management,password-policy
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
# Export security settings to a configuration file
secedit /export /cfg C:\cfg.txt | Out-Null
$cfg = Get-Content C:\cfg.txt | Out-String
if ($cfg -match "ClearTextPassword\s*=\s*(\d)") {
$value = $Matches[1]
if ($value -eq "1") {
"CLEAR_TEXT_PASSWORD_ENABLED"
} else {
"CLEAR_TEXT_PASSWORD_DISABLED"
}
} else {
"CLEAR_TEXT_PASSWORD_NOT_FOUND"
}
matchers:
- type: word
words:
- "CLEAR_TEXT_PASSWORD_ENABLED"
# digest: 490a0046304402206180f772353986ee4ee889d90160f393e2ebc4aa0522f36d6f7c786b055b70b9022012eaa06861d6d4669161f399c0c732efcc36cb235c906f501355a7dc2506a1b6:922c64590222798bb761d5b6d8e72950