Insecure password storage in IBM WebSphere
At work, I often come across IBM products: WebSphere Application Server (WAS) and others based on it. And, like everyone, I sometimes forget passwords, especially when it comes to test systems or those that you don’t pay proper attention to.
Once again, without remembering the password, I decided to see how our application server stores it. After analyzing several configuration files, such as security.xml, wimconfig.xml and resources.xml, I discovered all the passwords ever entered in the administration console, including the password of the main admin. They were stored in a completely harmless at first sight.
Xor, of course, is alarming, but we do not know the key and salt, which could be used (but not used). Remembering from student years property xor that:
')
... found the key for the system where the password is known:
Of course, it is always the same, that is, the password is stored in virtually open text, xor on _ does not even hide it from users who do not understand anything about encryption. Let me remind you that all passwords are stored this way: for keystores, for access to Active Directory, for access to the database, which, due to the specifics of using WAS, often stores information, access to which should be as limited as possible. Anyone who has access to the configuration files becomes automatically the application server administrator and receives passwords from databases and other resources.
WebSphere products are quite expensive and inaccessible to small and even medium-sized companies. For example, today a WAS license for an average 2-socket x86 server costs about $ 200,000, WebSphere Portal is several times more expensive. Usually it is not installed on x86, for RISC a license is even more expensive. Basically, they are used in government agencies and the banking sector, and in such an organization, security requirements are special, for example, the separation of roles (OS administrator, database, application server). In such a situation, it is technically unrealizable.
I wrote a small script to “remember” passwords on the fly.
The algorithm is unchanged in all versions of WAS, including the latest 8.5.5 and in all products based on it: Portal Server, BPM, ESB and others. I hope in version 8.6 or at least 9 passwords will be encrypted with AES.
Once again, without remembering the password, I decided to see how our application server stores it. After analyzing several configuration files, such as security.xml, wimconfig.xml and resources.xml, I discovered all the passwords ever entered in the administration console, including the password of the main admin. They were stored in a completely harmless at first sight.
serverPassword="{xor}KD4sPjsyNjE=" Xor, of course, is alarming, but we do not know the key and salt, which could be used (but not used). Remembering from student years property xor that:
')
a ⊕ b = c, a ⊕ c = b ... found the key for the system where the password is known:
283E2C3E3B323631 ⊕ 77617361646D696E = 5F(ASCII _) Of course, it is always the same, that is, the password is stored in virtually open text, xor on _ does not even hide it from users who do not understand anything about encryption. Let me remind you that all passwords are stored this way: for keystores, for access to Active Directory, for access to the database, which, due to the specifics of using WAS, often stores information, access to which should be as limited as possible. Anyone who has access to the configuration files becomes automatically the application server administrator and receives passwords from databases and other resources.
WebSphere products are quite expensive and inaccessible to small and even medium-sized companies. For example, today a WAS license for an average 2-socket x86 server costs about $ 200,000, WebSphere Portal is several times more expensive. Usually it is not installed on x86, for RISC a license is even more expensive. Basically, they are used in government agencies and the banking sector, and in such an organization, security requirements are special, for example, the separation of roles (OS administrator, database, application server). In such a situation, it is technically unrealizable.
I wrote a small script to “remember” passwords on the fly.
import base64 char = '' input = raw_input("Enter: ") data = base64.b64decode(input) for character in data: hex_char = hex(int(character.encode('hex'), 16) ^ int('_'.encode('hex'), 16))[2:] char = char + hex_char.decode('hex') print 'Password:', char The algorithm is unchanged in all versions of WAS, including the latest 8.5.5 and in all products based on it: Portal Server, BPM, ESB and others. I hope in version 8.6 or at least 9 passwords will be encrypted with AES.
Source: https://habr.com/ru/post/250671/
All Articles