Weak password protection in WebSphere 4.0.4 XML configuration export

["Jan P. Monsch" <jan.monsch () csnc ch>]

#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.


Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.


Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well


Not vulnerable:
---------------
- Unknown


Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management 
functionality which allows an administrator to export the whole 
WebSphere configuration as an XML file. The export includes passwords 
needed for accessing keying material and data sources:

     <jdbc-driver action="update" name="Sample DB Driver">
...
             <config-properties>
                 <property name="serverName" value=""/>
                 <property name="password" value="{xor}KD4sa28="/>
                 <property name="portNumber" value=""/>
                 <property name="databaseName" value="was40"/>
                 <property name="user" value="was40"/>
                 <property name="disable2Phase" value="true"/>
                 <property name="ifxIFXHOST" value=""/>
                 <property name="URL" value=""/>
                 <property name="informixLockModeWait" value=""/>
             </config-properties>
         </data-source>


These passwords are obfuscated and Base64Encoded. Those areas obfuacated 
are marked with the {XOR}-prefix.


The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the 
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)


Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")


Regards Jan


--
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

  Tel: +41 55 214 41 67
  Fax: +41 55 214 41 61

E-mail:     jan.monsch () csnc ch
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________