Where and how do you store credentials used by applications? There is no easy solution in Windows. We all agree that storing cleartext passwords in the source code or a configuration file is a bad idea. We should encrypt these passwords. But what do we do with the decryption key? Is the decryption algorithm easy to break?
I wondered how difficult it would be to extract the password from McAfee’s EPO agent installation program. It turns out to be rather easy, it took me about 3 hours of debugging with OllyDbg. And then I developed a OllyDbg plugin to automate the task.
McAfee’s EPO provides centralized anti-virus management. It connects to EPO agents installed on each managed machine. One can install the EPO agent centrally via the EPO manager or locally by copying the EPO agent installation program to the machine and executing it with local admin credentials. McAfee provides a solution when the install has to be done by a user without administrative privileges. The necessary credentials are stored in the EPO agent installation program.
Here’s how I proceeded to extract the password from the EPO agent installation program.
First I create 2 EPO agent installation programs with different passwords (password and P@ssw0rd) and I compare the files with JojoDiff.
jdiff-w32 -lr FramePkg-1.exe FramePkg-2.exe: 1 1 EQL 25792 25793 25793 MOD 64 25856 25856 EQL 1487303
The files are identical, except for 64 bytes.
I extract the 64 bytes from FramePkg-1.exe with my binary tools:
middle FramePkg-1.exe 25792 64 password.bin
I examine password.bin with XVI32 and discover it’s ASCII:
jXoAADpNAADvOY9WkCYp0xOk6ON8lFjm4af+X4+8IVL6vuLPafhTAuyfdv52BG4e
This must be the encrypted password (P@ssw0rd).
I debug FramePkg-1.exe with OllyDbg, looking for the password (encrypted and cleartext). It takes an hour to discover that FramePkg-1.exe extracts several files to a temporary folder and starts another program it extracted: FrmInst.exe
This program takes several arguments, one of which is the encrypted password:
/CreateService="C:mydirsEPOAgentEPOAgentFramePkg-1.exe" /LOGDIR=C:DOCUME~1ADMINI~1LOCALS~1TempNAILogs /Cleanup2="C:DOCUME~1ADMINI~1LOCALS~1Tempunz6.tmp" /EmbeddedUsername="administrator" /EmbeddedDomain="." /EmbeddedPassword="jXoAADpNAADvOY9WkCYp0xOk6ON8lFjm4af+X4+8IVL6vuLPafhTAuyfdv52BG4e" /Install=Agent
I debug FrmInst.exe with these arguments, and after 2 hours I find register EBP pointing to ASCII string P@ssw0rd. This is at address 0x004101BD.
This confirms my suspicion: the password is safe from a normal user, but someone with assembly debugging skills can recover the password within a few hours. No big surprise, but you know, there are people who can only be convinced when you deliver a proof to backup your claim.
This dreary debugging process inspired me to develop a OllyDbg plugin called OllyStepNSearch to automated the debugging process. It will automatically step through the debugged program until a register points to the string you specified. You can download it, but it’s still beta.
I used it to debug the EPO agent to look for P@ssw0rd. It’s slow (about 45 minutes), but it runs unattended.
Didier Stevens 
Yes, it’s 8 years later – but after finding this little gem you wrote I changed the account our McAfee setup used for the deployment to a much less vulnerable plain vanilla AD account. Thanks for your work on this!
Comment by Gary R — Wednesday 31 December 2014 @ 20:25