Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to calculate the root password of the MySQL database used by LaborOfficeFree using two constants.
Exploit Author: Peter Gabaldon - https://pgj11.com/
Vendor Homepage: https://www.laborofficefree.com/
Software Link: https://www.laborofficefree.com/#plans
Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.
After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).
Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.
Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.
00506548 | 53 | push ebx | Aqui se hacen el XOR y demas que calcula la pwd :)
00506549 | 56 | push esi |
0050654A | A3 7CFD8800 | mov dword ptr ds:[88FD7C],eax | eax:"hola00331-20471-98465-AA370"
0050654F | 0FB7C2 | movzx eax,dx | eax:"hola00331-20471-98465-AA370"
00506552 | 85C0 | test eax,eax | eax:"hola00331-20471-98465-AA370"
00506554 | 7E 2E | jle laborofficefree.506584 |
00506556 | BA 01000000 | mov edx,1 |
0050655B | 8B1D 7CFD8800 | mov ebx,dword ptr ds:[88FD7C] |
00506561 | 0FB65C13 FF | movzx ebx,byte ptr ds:[ebx+edx-1] |
00506566 | 8B31 | mov esi,dword ptr ds:[ecx] |
00506568 | 81E6 FF000000 | and esi,FF |
0050656E | 33DE | xor ebx,esi |
00506570 | 8B1C9D A40B8800 | mov ebx,dword ptr ds:[ebx*4+880BA4] |
00506577 | 8B31 | mov esi,dword ptr ds:[ecx] |
00506579 | C1EE 08 | shr esi,8 |
0050657C | 33DE | xor ebx,esi |
0050657E | 8919 | mov dword ptr ds:[ecx],ebx |
00506580 | 42 | inc edx |
00506581 | 48 | dec eax | eax:"hola00331-20471-98465-AA370"
00506582 | 75 D7 | jne laborofficefree.50655B |
00506584 | 5E | pop esi |
00506585 | 5B | pop ebx |
00506586 | C3 | ret |
The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.
005065C8 | F755 F8 | not dword ptr ss:[ebp-8] |
Running this script produces the root password of the LaborOfficeFree MySQL.
C:\Users\***\Desktop>python myLaborRootPwdCalculator.py
1591779762
C:\Users\***\Desktop>