Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Weak password protection in WebSphere 4.0.4 XML configuration export

From: Arun Kumar <akumar () austin ibm com>
Date: 6 Feb 2003 19:30:14 -0000
In-Reply-To: <3E3F9426.4080204 () csnc ch>

This is not a new revelation. Most Websphere customers should be and 
indeed are aware of the encoded (as opposed to encrypted) passwords. We 
even document this fact in our Infocenter... 
http://www7b.software.ibm.com/wsdd/WASInfoCenter/infocenter/wass_content/05
0101.html  .....

"
Several of the WebSphere configuration files contain user IDs and 
passwords. These are needed at run time to access external secure 
resources such as databases. Passwords are encoded, not encrypted, to 
deter casual observation of sensitive information. Password encoding 
combined with proper operating system file system security is intended to 
protect the passwords stored in these files. "

Arun Kumar
IBM
WebSphere Customer Support.


Received: (qmail 24724 invoked from network); 4 Feb 2003 17:07:43 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
 by mail.securityfocus.com with SMTP; 4 Feb 2003 17:07:43 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com 

[205.206.231.19])

      by outgoing3.securityfocus.com (Postfix) with QMQP
      id 0720AA30ED; Tue,  4 Feb 2003 09:48:15 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 24317 invoked from network); 4 Feb 2003 10:19:58 -0000
Message-ID: <3E3F9426.4080204 () csnc ch>
Date: Tue, 04 Feb 2003 11:21:26 +0100
From: "Jan P. Monsch" <jan.monsch () csnc ch>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) 

Gecko/20020523

X-Accept-Language: en-us, en
To: Bugtraq <bugtraq () securityfocus com>
Subject: Weak password protection in WebSphere 4.0.4 XML configuration 

export

Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.


Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.


Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well


Not vulnerable:
---------------
- Unknown


Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management 
functionality which allows an administrator to export the whole 
WebSphere configuration as an XML file. The export includes passwords 
needed for accessing keying material and data sources:

     <jdbc-driver action="update" name="Sample DB Driver">
...
             <config-properties>
                 <property name="serverName" value=""/>
                 <property name="password" value="{xor}KD4sa28="/>
                 <property name="portNumber" value=""/>
                 <property name="databaseName" value="was40"/>
                 <property name="user" value="was40"/>
                 <property name="disable2Phase" value="true"/>
                 <property name="ifxIFXHOST" value=""/>
                 <property name="URL" value=""/>
                 <property name="informixLockModeWait" value=""/>
             </config-properties>
         </data-source>


These passwords are obfuscated and Base64Encoded. Those areas obfuacated 
are marked with the {XOR}-prefix.


The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the 
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)


Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")


Regards Jan


-- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

  Tel: +41 55 214 41 67
  Fax: +41 55 214 41 61

E-mail:     jan.monsch () csnc ch
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: