Back in 2011, a community-submitted module was pulled into the Metasploit Framework that was able to decrypt the passwords in files such as db.properties
, containing the necessary credentials to connect to the database driving ePO. The module details the existence of a static key, used in conjunction with AES-128-ECB, that provides crypto services for strings in the ePO installation. It does not, however, tell us how we can find it ourselves.
During a recent pentest, a co-worker tried this module against the latest version (ePO 5.3.0 as of writing) to no avail. With access to the database, one could reset or add a user in order to modify agent configurations, enabling distributed compromise on an enterprise scale. This post details the added “crypto” code, where the original author found the static key, and how the credentials can still be decrypted today.
The Key
The following configuration defines some of the directives used in the all-important db.properties file (my installation used Windows authentication). By default, this file is located at C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\db.properties
db.database.name=ePO_WIN-VICTIM
db.jdbc.driver=jtds
db.param.ssl=request
db.param.USENTLMV2=true
db.instance.name=EPOSERVER
db.user.domain=WIN-VICTIM
db.user.name=Victim
db.port=49327
db.pool.exhausted.action=grow
db.server.name=WIN-VICTIM
db.user.passwd.encrypted.ex2=uo/giUYBfzl9DZwU08iSiA\=\=
I noticed that changing the password to something else using the standard authentication configuration tool located at https://win-victim:8443/core/config-auth
and back again did not alter the ciphertext in any way. This meant that, while the key now changes among installations, it is still static per-install.
Following the Trail
After a long tour of the filesystem, I determined that our JAR of choice was orion-core-common.jar
, located by default at C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\lib\orion-core-common.jar
. After searching around the JAR for a while, I wound up at the createConfig
function located in the DatabaseUtil
class as part of the com.mcafee.orion.core.db.base
package. This function is called whenever the password is changed.

Below is the relevant part of the code:

The Obfuscate Call
Note the single call to MfsPassword.obfuscate
(Seems the McAfee developers also noted the real nature of the “encryption”), passing in a single object and version of encryption to use. By following the call, we notice an interesting getKeyStuff
function.

Following the getKeyStuff
function, we note the number of versions available.

Perhaps version 1 of this function contains the static key mentioned in the Metasploit module? Let’s take a look at the MfsPassword class definition.

Well, they were right, the key was hardcoded. This is version 1 code, though. Surely version 2 would be much more secure? Let’s take a look at getDefaultKeyStuff
.

Seems like it’s building a string from obfuscation.v2.key.registry.key
and obfuscation.v2.key.registry.value
. After a quick search, it lead me to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\orion.properties

That looks like a promising location, lets see what it does with that value.

So, it looks like it just base64 decodes the value and (not pictured) returns right after. Let’s see if this value fits as a possible AES-128-EBC key.

$ echo l/urC4YpU+5/KthxgBspnA==|base64 -D|hexdump
0000000 97 fb ab 0b 86 29 53 ee 7f 2a d8 71 80 1b 29 9c
16 bytes would fit as a drop in. Let’s take our encrypted password from db.properties
and drop into a new file that can be consumed by openssl. Then we’ll try to use the key we found in the registry to decrypt using AES-128-EBC
.
$ echo uo/giUYBfzl9DZwU08iSiA==|base64 -D>in.key
$ openssl enc -d -aes-128-ecb -in in.key -K $(echo l/urC4YpU+5/KthxgBspnA==|base64 -D|xxd -p)
testing
Summary
It turns out that the key is now in the registry, which (in my installation) can be found at HKLM/SOFTWARE/Wow6432Node/Network Associates/ePolicy Orchestrator/Secured/InstallKey
. Drop the encrypted contents to disk, and decrypt them using openssl like so:
$ echo uo/giUYBfzl9DZwU08iSiA==|base64 -D>in.key
$ openssl enc -d -aes-128-ecb -in in.key -K $(echo l/urC4YpU+5/KthxgBspnA==|base64 -D|xxd -p)
testing
This post will be updated when I (hopefully) get a PR into Metasploit. Happy hunting!