
Insecure password storage in IBM WebSphere
At work, I often come across IBM products: WebSphere Application Server (WAS) and others based on it. And like everyone sometimes I forget passwords, especially for test systems or those that you do not pay enough attention to.
Once again, without remembering the password, I decided to see how our application server stores it. After analyzing several configuration files, such as security.xml, wimconfig.xml and resources.xml, I found all the passwords ever entered in the administration console, including the password of the main admin. They were stored in a completely harmless at first glance.
Xor, of course, is alarming, but we don’t know the key and salt that we could use (but did not use). Remembering from student years the property of xor that:
... found a key for the system where the password is known:
Of course, it is always the same, that is, the password is stored in virtually open text, xor on _ does not hide it even from users who do not understand anything in encryption. Let me remind you that all passwords are stored this way: for key stores, for access to Active Directory, for access to the database, which, due to the specifics of using WAS, often stores information, access to which should be limited as much as possible. Anyone who has access to configuration files automatically becomes the administrator of the application server and receives passwords from databases and other resources.
WebSphere product line is quite expensive and inaccessible to small and even medium-sized companies. For example, today a WAS license for an average x86 2-socket server costs about $ 200,000, WebSphere Portal is several times more expensive. Usually it is not installed on x86, for RISC the license is even more expensive. They are mainly used in government agencies and the banking sector, and in such organizations special security requirements, for example, separation of roles (OS administrator, database administrator, application server). In such a situation, this is not technically feasible.
I wrote a small script to “remember” passwords on the fly.
The algorithm is unchanged in all versions of WAS, including the latest 8.5.5 and in all products based on it: Portal Server, BPM, ESB and others. I hope that in version 8.6 or at least 9 passwords will be encrypted by AES.
Once again, without remembering the password, I decided to see how our application server stores it. After analyzing several configuration files, such as security.xml, wimconfig.xml and resources.xml, I found all the passwords ever entered in the administration console, including the password of the main admin. They were stored in a completely harmless at first glance.
serverPassword="{xor}KD4sPjsyNjE="
Xor, of course, is alarming, but we don’t know the key and salt that we could use (but did not use). Remembering from student years the property of xor that:
если a ⊕ b = c, то a ⊕ c = b
... found a key for the system where the password is known:
283E2C3E3B323631 ⊕ 77617361646D696E = 5F(ASCII код _)
Of course, it is always the same, that is, the password is stored in virtually open text, xor on _ does not hide it even from users who do not understand anything in encryption. Let me remind you that all passwords are stored this way: for key stores, for access to Active Directory, for access to the database, which, due to the specifics of using WAS, often stores information, access to which should be limited as much as possible. Anyone who has access to configuration files automatically becomes the administrator of the application server and receives passwords from databases and other resources.
WebSphere product line is quite expensive and inaccessible to small and even medium-sized companies. For example, today a WAS license for an average x86 2-socket server costs about $ 200,000, WebSphere Portal is several times more expensive. Usually it is not installed on x86, for RISC the license is even more expensive. They are mainly used in government agencies and the banking sector, and in such organizations special security requirements, for example, separation of roles (OS administrator, database administrator, application server). In such a situation, this is not technically feasible.
I wrote a small script to “remember” passwords on the fly.
import base64
char = ''
input = raw_input("Enter: ")
data = base64.b64decode(input)
for character in data:
hex_char = hex(int(character.encode('hex'), 16) ^ int('_'.encode('hex'), 16))[2:]
char = char + hex_char.decode('hex')
print 'Password:', char
The algorithm is unchanged in all versions of WAS, including the latest 8.5.5 and in all products based on it: Portal Server, BPM, ESB and others. I hope that in version 8.6 or at least 9 passwords will be encrypted by AES.