Summary
The collector writes its output JSON with mode 0644, making the file readable by every local user even though the JSON contains sensitive cryptographic material extracted from msDS-KeyCredentialLink (private/public key components, modulus, prime factors, hashes).
Location
- File(s):
main.go
- Line(s) / function(s):
main() at L132 — os.WriteFile(outputFile, []byte(jsonData), 0644)
Category
security
Severity
high
Impact: any local user on the host where the collector is run can read the exported file and harvest key material that would otherwise be protected by Active Directory ACLs. The collector is typically run by privileged users during AD assessments, so the file commonly contains organisation-wide credentials.
Reproduction / Evidence
Verified by code analysis:
- L132:
os.WriteFile(outputFile, []byte(jsonData), 0644) — sets file mode rw-r--r-- (0644).
- The JSON written via
og.ExportJSON includes properties set in parse.go such as D (ECC private scalar, L149), PrivateExponent (DSA, L99), Prime1/Prime2/PublicExponent/Modulus (RSA, L125–L128), and KeyHash (L69). These are sensitive secrets that should not be world-readable.
Expected Behavior
The output file should be created with restrictive permissions — 0600 (rw-------) at most — so only the user running the collector can read it.
Actual Behavior
File is created with 0644, readable by any local user.
Root Cause
Hardcoded 0644 permission flag in the os.WriteFile call, with no consideration that the payload contains private/sensitive cryptographic material.
Summary
The collector writes its output JSON with mode
0644, making the file readable by every local user even though the JSON contains sensitive cryptographic material extracted frommsDS-KeyCredentialLink(private/public key components, modulus, prime factors, hashes).Location
main.gomain()at L132 —os.WriteFile(outputFile, []byte(jsonData), 0644)Category
securitySeverity
highImpact: any local user on the host where the collector is run can read the exported file and harvest key material that would otherwise be protected by Active Directory ACLs. The collector is typically run by privileged users during AD assessments, so the file commonly contains organisation-wide credentials.
Reproduction / Evidence
Verified by code analysis:
os.WriteFile(outputFile, []byte(jsonData), 0644)— sets file moderw-r--r--(0644).og.ExportJSONincludes properties set inparse.gosuch asD(ECC private scalar, L149),PrivateExponent(DSA, L99),Prime1/Prime2/PublicExponent/Modulus(RSA, L125–L128), andKeyHash(L69). These are sensitive secrets that should not be world-readable.Expected Behavior
The output file should be created with restrictive permissions —
0600(rw-------) at most — so only the user running the collector can read it.Actual Behavior
File is created with
0644, readable by any local user.Root Cause
Hardcoded
0644permission flag in theos.WriteFilecall, with no consideration that the payload contains private/sensitive cryptographic material.