Priva Vendor Backdoor: Hidden Superuser – Level Nine Group

Unranked

Advisory ID:

L9-16-481

First Published:

August, 13th, 2021

Last Updated:

January, 18th, 2024

Version:

9.0.0

Category:

Hidden Functionality

Vendor:

Priva

Product:

Priva Office

Risk Summary

The Level Nine research team identified a backdoor login function written into the Priva Office application. This backdoor allows complete access to the Priva administrative interface and is not listed in the application user interface as a user account. A weak method is employed by the application to generate the special login password. The research team developed a script that successfully automates the generation of the backdoor password for accessing vulnerable installations.

Technical Details

The Priva application bytecode indicates that when a username of “SUPER___” is provided the password for this hidden account is compared to a real-time generated value from the internal software function specialPassword(). This function works by generating the current (today) user password from the calendar date. As a result, a threat actor with knowledge of this password generation pattern could abuse it to gain access to any Priva system.