In-Reply-To: <3E3F9426.4080204@csnc.ch> This is not a new revelation. Most Websphere customers should be and indeed are aware of the encoded (as opposed to encrypted) passwords. We even document this fact in our Infocenter... http://www7b.software.ibm.com/wsdd/WASInfoCenter/infocenter/wass_content/05 0101.html ..... " Several of the WebSphere configuration files contain user IDs and passwords. These are needed at run time to access external secure resources such as databases. Passwords are encoded, not encrypted, to deter casual observation of sensitive information. Password encoding combined with proper operating system file system security is intended to protect the passwords stored in these files. " Arun Kumar IBM WebSphere Customer Support. >Received: (qmail 24724 invoked from network); 4 Feb 2003 17:07:43 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 4 Feb 2003 17:07:43 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 0720AA30ED; Tue, 4 Feb 2003 09:48:15 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 24317 invoked from network); 4 Feb 2003 10:19:58 -0000 >Message-ID: <3E3F9426.4080204@csnc.ch> >Date: Tue, 04 Feb 2003 11:21:26 +0100 >From: "Jan P. Monsch" <jan.monsch@csnc.ch> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 >X-Accept-Language: en-us, en >To: Bugtraq <bugtraq@securityfocus.com> >Subject: Weak password protection in WebSphere 4.0.4 XML configuration export >Content-Type: text/plain; charset=us-ascii; format=flowed >Content-Transfer-Encoding: 7bit > >############################################################# ># ># COMPASS SECURITY http://www.csnc.ch/ ># >############################################################# ># ># Topic: WebSphere Advanced Server Edition 4.0.4 ># Subject: Insufficient Password Protection in ># Configuration Export ># Author: Jan P. Monsch ># Date: February 3, 2003 ># >############################################################# > >Problem: >-------- >Passwords in WebSphere XML configruation export are not sufficiently >protected. If the exported configuration gets into the hands of a >malicous user, he or she can deobfuscated passworts easily and can gain >access to the password protected resources. > > >Workaround: >----------- >Administrators should take care that they export the configuration to an >administrator accessible directory only and destroy the export file >after use. > > >Vulnerable: >----------- >- WebServer Advanced Server 4.0.4 >- other versions might be vulnerable as well > > >Not vulnerable: >--------------- >- Unknown > > >Details: >-------- >WebSphere Advanced Server Edition 4.0.4 offers a management >functionality which allows an administrator to export the whole >WebSphere configuration as an XML file. The export includes passwords >needed for accessing keying material and data sources: > > <jdbc-driver action="update" name="Sample DB Driver"> >... > <config-properties> > <property name="serverName" value=""/> > <property name="password" value="{xor}KD4sa28="/> > <property name="portNumber" value=""/> > <property name="databaseName" value="was40"/> > <property name="user" value="was40"/> > <property name="disable2Phase" value="true"/> > <property name="ifxIFXHOST" value=""/> > <property name="URL" value=""/> > <property name="informixLockModeWait" value=""/> > </config-properties> > </data-source> > > >These passwords are obfuscated and Base64Encoded. Those areas obfuacated >are marked with the {XOR}-prefix. > > >The obfuscation algorithm is as follows: >- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the >position of the character >- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword) > > >Deobfuscation process: >- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded) >- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_") > > >Regards Jan > > >-- >_____________________________________________________________ >Jan P. Monsch >Compass Security Network Computing AG, CSNC > > Tel: +41 55 214 41 67 > Fax: +41 55 214 41 61 > >E-mail: jan.monsch@csnc.ch >Web site: http://www.csnc.ch/ > >"Security Review - Penetration Testing" >_____________________________________________________________ > > >
