As with any internet facing server, remote code execution on CentreStack or Triofox can potentially lead to malware deployment, backdoor persistence, and credential theft. Huntress urged all CentreStack/Triofox customers to update to the latest version, 16.12.10420.56791, saying nine of its enterprise customers had already been affected.
Hardcoded keys, harder consequences
At the core of the issue is a design failure in how CentreStack and Triofox generate the cryptographic keys used to encrypt the access tokens the platforms uses to control who can retrieve what files. Huntress found that the server relies on a function called “GenerateSecKey()” to produce the AES key and initialization vector (IV) for ticket encryption — but instead of generating unique values, the function returns the same static 100-byte strings every time the service runs.
“Because the keys never change, we could extract them from memory once and use them to decrypt any ticket generated by the server or worse, encrypt our own,” the researchers said, adding that the keys were static strings of Chinese and Japanese text.
