Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Weak password protection in WebSphere 4.0.4 XML configuration export
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Tue, 04 Feb 2003 11:21:26 +0100
#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.


Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.


Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well


Not vulnerable:
---------------
- Unknown


Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management functionality which allows an administrator to export the whole WebSphere configuration as an XML file. The export includes passwords needed for accessing keying material and data sources: 

     <jdbc-driver action="update" name="Sample DB Driver">
...
             <config-properties>
                 <property name="serverName" value=""/>
                 <property name="password" value="{xor}KD4sa28="/>
                 <property name="portNumber" value=""/>
                 <property name="databaseName" value="was40"/>
                 <property name="user" value="was40"/>
                 <property name="disable2Phase" value="true"/>
                 <property name="ifxIFXHOST" value=""/>
                 <property name="URL" value=""/>
                 <property name="informixLockModeWait" value=""/>
             </config-properties>
         </data-source>
These passwords are obfuscated and Base64Encoded. Those areas obfuacated are marked with the {XOR}-prefix. 


The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the position of the character 
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)


Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")


Regards Jan


--
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

  Tel: +41 55 214 41 67
  Fax: +41 55 214 41 61

E-mail:     jan.monsch () csnc ch
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________

  By Date           By Thread  

Current thread:
  • Weak password protection in WebSphere 4.0.4 XML configuration export Jan P. Monsch (Feb 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]