Priva Vendor Backdoor: Hidden Superuser

Unranked
Advisory IDL9-16-481PublishedAugust 13, 2021UpdatedAugust 19, 2021
CategoryHidden FuncitonalityVendorPrivaProductPriva OfficeVersion9.0.0

Risk Summary

The Level Nine research team identified a backdoor login function written into the Priva Office application. This backdoor allows complete access to the Priva administrative interface and is not listed in the application user interface as a user account. A weak method is employed by the application to generate the special login password. The research team developed a script that successfully automates the generation of the backdoor password for accessing vulnerable installations.

Technical Details

The Priva application bytecode indicates that when a username of “SUPER___” is provided the password for this hidden account is compared to a real-time generated value from the internal software function specialPassword(). This function works by generating the current (today) user password from the calendar date. As a result, a threat actor with knowledge of this password generation pattern could abuse it to gain access to any Priva system.