Windows Store Passwords Using Reversible Encryption Vulnerability

漏洞信息

漏洞名称: Windows Store Passwords Using Reversible Encryption Vulnerability

漏洞类型: 信息泄露

漏洞等级: 中危

漏洞描述: 该漏洞涉及Windows操作系统中的密码存储策略,具体为“使用可逆加密存储密码”策略。Windows是一个广泛使用的操作系统,部署在个人电脑、服务器等多种设备上,支持企业级服务和日常应用。当此策略被启用时,系统会以可逆的形式存储用户密码,这意味着密码可以被恢复为明文形式,从而暴露给潜在的攻击者。漏洞的技术根源在于密码存储策略的不安全配置,允许密码以可逆加密形式存储,而非更安全的不可逆哈希形式。这种配置错误可能导致严重的安全风险,包括但不限于密码泄露、未授权访问和网络资源的潜在危害。攻击者如果能够访问存储的密码数据,可以利用这些信息进行进一步的攻击,如身份冒充或权限提升。值得注意的是,利用此漏洞通常需要攻击者已经获得了一定级别的系统访问权限,但一旦利用成功,后果可能非常严重。因此,建议管理员检查并禁用此策略,以增强系统安全性。

产品厂商: Microsoft

产品名称: Windows

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fpassword-cleartext-encryption.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

id: password-cleartext-encryption

info:
  name: Store Passwords Using Reversible Encryption Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the "Store passwords using reversible encryption" policy is set to Disabled. If enabled, it can allow stored passwords to be retrieved in plaintext, posing a serious security risk.
  impact: |
    If this setting is enabled, attackers could potentially recover user passwords, leading to unauthorized access and compromise of network resources.
  remediation: |
    Disable this policy using one of the following methods:
    - Command Line: Export the security configuration, set ClearTextPassword=0, and reapply it using secedit.
    - GUI: Open Local Security Policy → Account Policies → Password Policy → "Store passwords using reversible encryption" and set it to Disabled.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: code,windows-audit,kisa,account-management,password-policy

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      # Export security settings to a configuration file
      secedit /export /cfg C:\cfg.txt | Out-Null
      $cfg = Get-Content C:\cfg.txt | Out-String
      if ($cfg -match "ClearTextPassword\s*=\s*(\d)") {
          $value = $Matches[1]
          if ($value -eq "1") {
              "CLEAR_TEXT_PASSWORD_ENABLED"
          } else {
              "CLEAR_TEXT_PASSWORD_DISABLED"
          }
      } else {
          "CLEAR_TEXT_PASSWORD_NOT_FOUND"
      }

    matchers:
      - type: word
        words:
          - "CLEAR_TEXT_PASSWORD_ENABLED"

Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Windows Store Passwords Using Reversible Encryption Vulnerability
http://example.com/2025/07/10/github_2912032414/
作者
lianccc
发布于
2025年7月10日
许可协议