Bugtraq mailing list archives
Re: Weak password protection in WebSphere 4.0.4 XML configuration export
From: Arun Kumar <akumar () austin ibm com>
Date: 6 Feb 2003 19:30:14 -0000
In-Reply-To: <3E3F9426.4080204 () csnc ch> This is not a new revelation. Most Websphere customers should be and indeed are aware of the encoded (as opposed to encrypted) passwords. We even document this fact in our Infocenter... http://www7b.software.ibm.com/wsdd/WASInfoCenter/infocenter/wass_content/05 0101.html ..... " Several of the WebSphere configuration files contain user IDs and passwords. These are needed at run time to access external secure resources such as databases. Passwords are encoded, not encrypted, to deter casual observation of sensitive information. Password encoding combined with proper operating system file system security is intended to protect the passwords stored in these files. " Arun Kumar IBM WebSphere Customer Support.
Received: (qmail 24724 invoked from network); 4 Feb 2003 17:07:43 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 4 Feb 2003 17:07:43 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id 0720AA30ED; Tue, 4 Feb 2003 09:48:15 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 24317 invoked from network); 4 Feb 2003 10:19:58 -0000 Message-ID: <3E3F9426.4080204 () csnc ch> Date: Tue, 04 Feb 2003 11:21:26 +0100 From: "Jan P. Monsch" <jan.monsch () csnc ch> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3)
Gecko/20020523
X-Accept-Language: en-us, en To: Bugtraq <bugtraq () securityfocus com> Subject: Weak password protection in WebSphere 4.0.4 XML configuration
export
Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit ############################################################# # # COMPASS SECURITY http://www.csnc.ch/ # ############################################################# # # Topic: WebSphere Advanced Server Edition 4.0.4 # Subject: Insufficient Password Protection in # Configuration Export # Author: Jan P. Monsch # Date: February 3, 2003 # ############################################################# Problem: -------- Passwords in WebSphere XML configruation export are not sufficiently protected. If the exported configuration gets into the hands of a malicous user, he or she can deobfuscated passworts easily and can gain access to the password protected resources. Workaround: ----------- Administrators should take care that they export the configuration to an administrator accessible directory only and destroy the export file after use. Vulnerable: ----------- - WebServer Advanced Server 4.0.4 - other versions might be vulnerable as well Not vulnerable: --------------- - Unknown Details: -------- WebSphere Advanced Server Edition 4.0.4 offers a management functionality which allows an administrator to export the whole WebSphere configuration as an XML file. The export includes passwords needed for accessing keying material and data sources: <jdbc-driver action="update" name="Sample DB Driver"> ... <config-properties> <property name="serverName" value=""/> <property name="password" value="{xor}KD4sa28="/> <property name="portNumber" value=""/> <property name="databaseName" value="was40"/> <property name="user" value="was40"/> <property name="disable2Phase" value="true"/> <property name="ifxIFXHOST" value=""/> <property name="URL" value=""/> <property name="informixLockModeWait" value=""/> </config-properties> </data-source> These passwords are obfuscated and Base64Encoded. Those areas obfuacated are marked with the {XOR}-prefix. The obfuscation algorithm is as follows: - CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the position of the character - ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword) Deobfuscation process: - ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded) - CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_") Regards Jan -- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG, CSNC Tel: +41 55 214 41 67 Fax: +41 55 214 41 61 E-mail: jan.monsch () csnc ch Web site: http://www.csnc.ch/ "Security Review - Penetration Testing" _____________________________________________________________
Current thread:
- Re: Weak password protection in WebSphere 4.0.4 XML configuration export Arun Kumar (Feb 06)