Weak password protection in WebSphere 4.0.4 XML configuration export

• Previous message: delusion: "Re: PHP-Nuke Avatar Code injection vulnerability"
• Next in thread: Arun Kumar: "Re: Weak password protection in WebSphere 4.0.4 XML configuration export"
• Reply: Arun Kumar: "Re: Weak password protection in WebSphere 4.0.4 XML configuration export"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.


Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.


Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well


Not vulnerable:
---------------
- Unknown


Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management 
functionality which allows an administrator to export the whole 
WebSphere configuration as an XML file. The export includes passwords 
needed for accessing keying material and data sources:

      <jdbc-driver action="update" name="Sample DB Driver">
...
              <config-properties>
                  <property name="serverName" value=""/>
                  <property name="password" value="{xor}KD4sa28="/>
                  <property name="portNumber" value=""/>
                  <property name="databaseName" value="was40"/>
                  <property name="user" value="was40"/>
                  <property name="disable2Phase" value="true"/>
                  <property name="ifxIFXHOST" value=""/>
                  <property name="URL" value=""/>
                  <property name="informixLockModeWait" value=""/>
              </config-properties>
          </data-source>


These passwords are obfuscated and Base64Encoded. Those areas obfuacated 
are marked with the {XOR}-prefix.


The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the 
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)


Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")


Regards Jan


-- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

   Tel: +41 55 214 41 67
   Fax: +41 55 214 41 61

E-mail:     jan.monschat_private
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________

• Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:025-20] Updated 2.4 kernel fixes various vulnerabilities"
• Previous message: delusion: "Re: PHP-Nuke Avatar Code injection vulnerability"
• Next in thread: Arun Kumar: "Re: Weak password protection in WebSphere 4.0.4 XML configuration export"
• Reply: Arun Kumar: "Re: Weak password protection in WebSphere 4.0.4 XML configuration export"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 10:05:30 PST