Back to Home

We learn the passwords of 1C users

information security · 1s · password · bug

We learn passwords of 1C users

    The ability was tested on the platform 1c version 8.1.13.41 and 8.2.10.82 (I think the situation is the same on 8.0) on the Windows Server 2008 operating system both 32 and 64 bit under local administrator rights in the terminal session. In fact, on older operating systems, you can find out a password, just not as commonplace as on the tested OS.

    For a successful test, it is necessary that the terminal server already has at least one user who successfully logs in to the 1C infobase (in the mode of the configurator or enterprise).


    Launch the task manager and click on the button “Display processes of all users”, then in the window that appears, click on the “Continue” button. After we select the menu item: “View” -> “Select Columns ...” and in the window that appears, put a daw in front of the item “Command Line” and click the “OK” button. We look through the process 1cv8.exe with our eyes and observe something like this:
    image

    It was a revelation for me that starting 1C without such command line parameters as login and password, the current process starts a new one with authorization command line parameters, and then it ends itself.

    I will not focus on the fact that for many mortals the same password is used not only to access IB 1C and what consequences the fact of ownership of the password by the other party can lead to. I just want to note that all attempts by 1C itself to use AES, Triple DES encryption algorithms, the SSL protocol for accessing information security, storing user passwords in a database table in a special format are crossed out by the above authorization method.

    UPD:
    Moved to the blog "Information Security"

    Read Next