| शीर्षक | Iperius Iperius Backup <= 8.7.2 Use of Hard-coded Cryptographic Key |
|---|
| विवरण | Iperius Backup <= 8.7.2 stores sensitive user credentials (Domain Administrator, SQL Database, SMTP, FTP, and Cloud Storage passwords) in a local configuration file (IperiusAccounts.ini) encrypted with a hard-coded, static encryption key that is identical across all installations. The application uses AES-256-CBC via the TurboPower LockBox 3 Delphi library with a key derived from a hardcoded Italian-language error message string using a single SHA-1 iteration with non-standard key expansion. Because the encryption key is embedded in the application binary and is machine-independent, an attacker with local read access to the configuration file can decrypt all stored credentials fully offline using a standalone Python script, without access to the target machine or the Iperius Backup application. Alternatively, the application itself can be used as a Decryption Oracle by intercepting the WNetAddConnection2W API call. |
|---|
| स्रोत | ⚠️ https://github.com/VulnaraByte/iperius-backup-security-advisories |
|---|
| उपयोगकर्ता | VulnaraByte (UID 96378) |
|---|
| सबमिशन | 12/03/2026 12:17 PM (4 महीनों पहले) |
|---|
| संयम | 01/04/2026 02:02 PM (20 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 354639 [Enter Software Iperius Backup तक 8.7.2 IperiusAccounts.ini कमजोर एन्क्रिप्शन] |
|---|
| अंक | 20 |
|---|