BugTraq
Back to list
|
Post reply
Re: Weak password protection in WebSphere 4.0.4 XML configuration export
Feb 06 2003 07:30PM
Arun Kumar (akumar austin ibm com)
In-Reply-To: <3E3F9426.4080204 (at) csnc (dot) ch [email concealed]>
This is not a new revelation. Most Websphere customers should be and
indeed are aware of the encoded (as opposed to encrypted) passwords. We
even document this fact in our Infocenter...
http://www7b.software.ibm.com/wsdd/WASInfoCenter/infocenter/wass_content
/05
0101.html .....
"
Several of the WebSphere configuration files contain user IDs and
passwords. These are needed at run time to access external secure
resources such as databases. Passwords are encoded, not encrypted, to
deter casual observation of sensitive information. Password encoding
combined with proper operating system file system security is intended to
protect the passwords stored in these files. "
Arun Kumar
IBM
WebSphere Customer Support.
>Received: (qmail 24724 invoked from network); 4 Feb 2003 17:07:43 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 4 Feb 2003 17:07:43 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 0720AA30ED; Tue, 4 Feb 2003 09:48:15 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 24317 invoked from network); 4 Feb 2003 10:19:58 -0000
>Message-ID: <3E3F9426.4080204 (at) csnc (dot) ch [email concealed]>
>Date: Tue, 04 Feb 2003 11:21:26 +0100
>From: "Jan P. Monsch" <jan.monsch (at) csnc (dot) ch [email concealed]>
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3)
Gecko/20020523
>X-Accept-Language: en-us, en
>To: Bugtraq <bugtraq (at) securityfocus (dot) com [email concealed]>
>Subject: Weak password protection in WebSphere 4.0.4 XML configuration
export
>Content-Type: text/plain; charset=us-ascii; format=flowed
>Content-Transfer-Encoding: 7bit
>
>#############################################################
>#
># COMPASS SECURITY http://www.csnc.ch/
>#
>#############################################################
>#
># Topic: WebSphere Advanced Server Edition 4.0.4
># Subject: Insufficient Password Protection in
># Configuration Export
># Author: Jan P. Monsch
># Date: February 3, 2003
>#
>#############################################################
>
>Problem:
>--------
>Passwords in WebSphere XML configruation export are not sufficiently
>protected. If the exported configuration gets into the hands of a
>malicous user, he or she can deobfuscated passworts easily and can gain
>access to the password protected resources.
>
>
>Workaround:
>-----------
>Administrators should take care that they export the configuration to an
>administrator accessible directory only and destroy the export file
>after use.
>
>
>Vulnerable:
>-----------
>- WebServer Advanced Server 4.0.4
>- other versions might be vulnerable as well
>
>
>Not vulnerable:
>---------------
>- Unknown
>
>
>Details:
>--------
>WebSphere Advanced Server Edition 4.0.4 offers a management
>functionality which allows an administrator to export the whole
>WebSphere configuration as an XML file. The export includes passwords
>needed for accessing keying material and data sources:
>
> <jdbc-driver action="update" name="Sample DB Driver">
>...
> <config-properties>
> <property name="serverName" value=""/>
> <property name="password" value="{xor}KD4sa28="/>
> <property name="portNumber" value=""/>
> <property name="databaseName" value="was40"/>
> <property name="user" value="was40"/>
> <property name="disable2Phase" value="true"/>
> <property name="ifxIFXHOST" value=""/>
> <property name="URL" value=""/>
> <property name="informixLockModeWait" value=""/>
> </config-properties>
> </data-source>
>
>
>These passwords are obfuscated and Base64Encoded. Those areas obfuacated
>are marked with the {XOR}-prefix.
>
>
>The obfuscation algorithm is as follows:
>- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the
>position of the character
>- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)
>
>
>Deobfuscation process:
>- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
>- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")
>
>
>Regards Jan
>
>
>--
>_____________________________________________________________
>Jan P. Monsch
>Compass Security Network Computing AG, CSNC
>
> Tel: +41 55 214 41 67
> Fax: +41 55 214 41 61
>
>E-mail: jan.monsch (at) csnc (dot) ch [email concealed]
>Web site: http://www.csnc.ch/
>
>"Security Review - Penetration Testing"
>_____________________________________________________________
>
>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
This is not a new revelation. Most Websphere customers should be and
indeed are aware of the encoded (as opposed to encrypted) passwords. We
even document this fact in our Infocenter...
http://www7b.software.ibm.com/wsdd/WASInfoCenter/infocenter/wass_content
/05
0101.html .....
"
Several of the WebSphere configuration files contain user IDs and
passwords. These are needed at run time to access external secure
resources such as databases. Passwords are encoded, not encrypted, to
deter casual observation of sensitive information. Password encoding
combined with proper operating system file system security is intended to
protect the passwords stored in these files. "
Arun Kumar
IBM
WebSphere Customer Support.
>Received: (qmail 24724 invoked from network); 4 Feb 2003 17:07:43 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 4 Feb 2003 17:07:43 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 0720AA30ED; Tue, 4 Feb 2003 09:48:15 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 24317 invoked from network); 4 Feb 2003 10:19:58 -0000
>Message-ID: <3E3F9426.4080204 (at) csnc (dot) ch [email concealed]>
>Date: Tue, 04 Feb 2003 11:21:26 +0100
>From: "Jan P. Monsch" <jan.monsch (at) csnc (dot) ch [email concealed]>
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3)
Gecko/20020523
>X-Accept-Language: en-us, en
>To: Bugtraq <bugtraq (at) securityfocus (dot) com [email concealed]>
>Subject: Weak password protection in WebSphere 4.0.4 XML configuration
export
>Content-Type: text/plain; charset=us-ascii; format=flowed
>Content-Transfer-Encoding: 7bit
>
>#############################################################
>#
># COMPASS SECURITY http://www.csnc.ch/
>#
>#############################################################
>#
># Topic: WebSphere Advanced Server Edition 4.0.4
># Subject: Insufficient Password Protection in
># Configuration Export
># Author: Jan P. Monsch
># Date: February 3, 2003
>#
>#############################################################
>
>Problem:
>--------
>Passwords in WebSphere XML configruation export are not sufficiently
>protected. If the exported configuration gets into the hands of a
>malicous user, he or she can deobfuscated passworts easily and can gain
>access to the password protected resources.
>
>
>Workaround:
>-----------
>Administrators should take care that they export the configuration to an
>administrator accessible directory only and destroy the export file
>after use.
>
>
>Vulnerable:
>-----------
>- WebServer Advanced Server 4.0.4
>- other versions might be vulnerable as well
>
>
>Not vulnerable:
>---------------
>- Unknown
>
>
>Details:
>--------
>WebSphere Advanced Server Edition 4.0.4 offers a management
>functionality which allows an administrator to export the whole
>WebSphere configuration as an XML file. The export includes passwords
>needed for accessing keying material and data sources:
>
> <jdbc-driver action="update" name="Sample DB Driver">
>...
> <config-properties>
> <property name="serverName" value=""/>
> <property name="password" value="{xor}KD4sa28="/>
> <property name="portNumber" value=""/>
> <property name="databaseName" value="was40"/>
> <property name="user" value="was40"/>
> <property name="disable2Phase" value="true"/>
> <property name="ifxIFXHOST" value=""/>
> <property name="URL" value=""/>
> <property name="informixLockModeWait" value=""/>
> </config-properties>
> </data-source>
>
>
>These passwords are obfuscated and Base64Encoded. Those areas obfuacated
>are marked with the {XOR}-prefix.
>
>
>The obfuscation algorithm is as follows:
>- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the
>position of the character
>- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)
>
>
>Deobfuscation process:
>- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
>- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")
>
>
>Regards Jan
>
>
>--
>_____________________________________________________________
>Jan P. Monsch
>Compass Security Network Computing AG, CSNC
>
> Tel: +41 55 214 41 67
> Fax: +41 55 214 41 61
>
>E-mail: jan.monsch (at) csnc (dot) ch [email concealed]
>Web site: http://www.csnc.ch/
>
>"Security Review - Penetration Testing"
>_____________________________________________________________
>
>
>
[ reply ]