OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jan P. Monsch (jan.monsch_at_csnc.ch)
Date: Tue Feb 04 2003 - 04:21:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    #############################################################
    #
    # COMPASS SECURITY http://www.csnc.ch/
    #
    #############################################################
    #
    # Topic: WebSphere Advanced Server Edition 4.0.4
    # Subject: Insufficient Password Protection in
    # Configuration Export
    # Author: Jan P. Monsch
    # Date: February 3, 2003
    #
    #############################################################

    Problem:
    --------
    Passwords in WebSphere XML configruation export are not sufficiently
    protected. If the exported configuration gets into the hands of a
    malicous user, he or she can deobfuscated passworts easily and can gain
    access to the password protected resources.

    Workaround:
    -----------
    Administrators should take care that they export the configuration to an
    administrator accessible directory only and destroy the export file
    after use.

    Vulnerable:
    -----------
    - WebServer Advanced Server 4.0.4
    - other versions might be vulnerable as well

    Not vulnerable:
    ---------------
    - Unknown

    Details:
    --------
    WebSphere Advanced Server Edition 4.0.4 offers a management
    functionality which allows an administrator to export the whole
    WebSphere configuration as an XML file. The export includes passwords
    needed for accessing keying material and data sources:

          <jdbc-driver action="update" name="Sample DB Driver">
    ...
                  <config-properties>
                      <property name="serverName" value=""/>
                      <property name="password" value="{xor}KD4sa28="/>
                      <property name="portNumber" value=""/>
                      <property name="databaseName" value="was40"/>
                      <property name="user" value="was40"/>
                      <property name="disable2Phase" value="true"/>
                      <property name="ifxIFXHOST" value=""/>
                      <property name="URL" value=""/>
                      <property name="informixLockModeWait" value=""/>
                  </config-properties>
              </data-source>

    These passwords are obfuscated and Base64Encoded. Those areas obfuacated
    are marked with the {XOR}-prefix.

    The obfuscation algorithm is as follows:
    - CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the
    position of the character
    - ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)

    Deobfuscation process:
    - ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
    - CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")

    Regards Jan 

    -- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

       Tel: +41 55 214 41 67
   Fax: +41 55 214 41 61

    E-mail:     jan.monschcsnc.ch
Web site:   http://www.csnc.ch/

    "Security Review - Penetration Testing"
_____________________________________________________________