IBM WebSphere导出XML密码编码不强壮漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1203095 漏洞类型 加密问题
发布时间 2003-02-06 更新时间 2003-12-31
CVE编号 CVE-2003-1447 CNNVD-ID CNNVD-200312-459
漏洞平台 N/A CVSS评分 1.9
|漏洞来源
https://cxsecurity.com/issue/WLB-2007100098
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-459
|漏洞详情
Websphere是由IBM公司开发和维护的商业性质WEB服务器程序。IBMWebsphere在导出配置文件时包含的密码编码不够强壮,本地攻击者可以利用这个漏洞对编码的密码轻易破解。Websphere允许管理员导出配置文件,但是导出后包含的密码以不强壮的算法保存,如果攻击者可以获得XML配置文件,就可以方便的对密码进行解码。
|漏洞EXP
#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.

Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.

Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well

Not vulnerable:
---------------
- Unknown

Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management 
functionality which allows an administrator to export the whole 
WebSphere configuration as an XML file. The export includes passwords 
needed for accessing keying material and data sources:

<jdbc-driver action="update" name="Sample DB Driver">
...
              <config-properties>
                  <property name="serverName" value=""/>
                  <property name="password" value="{xor}KD4sa28="/>
                  <property name="portNumber" value=""/>
                  <property name="databaseName" value="was40"/>
                  <property name="user" value="was40"/>
                  <property name="disable2Phase" value="true"/>
                  <property name="ifxIFXHOST" value=""/>
                  <property name="URL" value=""/>
                  <property name="informixLockModeWait" value=""/>
              </config-properties>
          </data-source>

These passwords are obfuscated and Base64Encoded. Those areas obfuacated 
are marked with the {XOR}-prefix.

The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the 
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)

Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")

Regards Jan

-- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

Tel: +41 55 214 41 67
   Fax: +41 55 214 41 61

E-mail:     jan.monsch (at) csnc (dot) ch [email concealed]
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________
|参考资料

来源:XF
名称:websphere-xml-weak-encryption(11245)
链接:http://xforce.iss.net/xforce/xfdb/11245
来源:BID
名称:6758
链接:http://www.securityfocus.com/bid/6758
来源:BUGTRAQ
名称:20030206Re:WeakpasswordprotectioninWebSphere4.0.4XMLconfigurationexport
链接:http://www.securityfocus.com/archive/1/310796
来源:BUGTRAQ
名称:20030204WeakpasswordprotectioninWebSphere4.0.4XMLconfigurationexport
链接:http://www.securityfocus.com/archive/1/310118
来源:SREASON
名称:3277
链接:http://securityreason.com/securityalert/3277
来源:NSFOCUS
名称:4340
链接:http://www.nsfocus.net/vulndb/4340