Wednesday, October 11, 2006

Be aware of WebSphere's lack of security in regards to password storage

As long as I can remember Websphere has used encoded not encrypted passwords when storing them. The Websphere documents clearly note passwords are not encrypted. Today with Websphere version 6.1 out passwords are still obfuscated and easily reversible encoding. In effort to raise awareness; I want to show just how easy it is to decode (and encode) these passwords in files such as soap.client.props or the misc xml files WebSphere stores its configurations in.

You can search security focus or bugtrack archives and find tickets open on versions pre WebSphere 4.x about the insecure password storage WebSphere uses.

IBM's stance seems to be if you want something more secure write a module yourself to store those passwords! Thats great thanks IBM!

They do provide some info on this here:

Not only do we need to worry about developers having passwords to the datasources, admin interfaces and more.. but now we need to keep them off the file system completely or ensure they do not even have read access to most of it.

Wait! That will break the solution they have for running portal as a different user and more! (Thats another blog topic in itself) Lets get back on track.

So lets open up soap.client.props. Look for the line . That is the XOR of the password (which you provide) and a 'secret'. If we go back to 7th grade math we would have a formula. If C = (A ^ B), then I can find A if I have C and B, so A = (B ^ C).

If you don't know the key don't worry. IBM provides a great tool to generate and recover these passwords using the default key WebSphere itself uses.

Here is a quick example on windows (for you Rad developers out there).

WAS_INSTALL_ROOT\lib>..\java\bin\java.exe -cp securityimpl.jar; iwsorb.jar ;ras.jar ;wsexception.jar;bootstrap.jar;emf.jar;ffdc.jar unsecure

This will encode the password 'unsecure':

decoded password == "unsecure", encoded password == "{xor}KjEsOjwqLTo="

So now you know how to encode something. How do you decode a password though? Well you can write your own XOR decoder but IBM provides one for you! Thanks IBM! So lets decode that password we just encoded.

WAS_INSTALL_ROOT\lib>..\java\bin\java.exe -cp securityimpl.jar; iwsorb.jar; ras.jar; wsexception.jar;bootstrap.jar;emf.jar;ffdc.jar {xor}KjEsOjwqLTo=

You should get an output:

encoded password == "{xor}KjEsOjwqLTo=", decoded password == "unsecure"

So now as a developer you know all the admin passwords, or as a admin who forgot what it was, you now know!

Just make note on unix to replace the ';' characters with ':'. I normally work off unix but for this example I was working on RAD under windows.

Enjoy and lets hope you won't be able to do this in future releases!

Read more!

Last posts