Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22368
HistoryAug 25, 2009 - 12:00 a.m.

Clear Text Storage of Password in CS-MARS v6.0.4 and Earlier

2009-08-2500:00:00
vulners.com
52
  1. First after logging onto the console either pnlog mailto, or pnlog scpto will send the logs off of the box to a destination you specify, you can also display the logs using pnlog show.
    [pnadmin]$ pnlog scpto [email protected]:/home/ryan
    scp /tmp/error-logs.tar.gz [email protected]:/home/ryan/error-logs.tar.gz
    The authenticity of host '10.4.61.206 (10.4.61.206)' can't be established.
    RSA key fingerprint is cc:c5:35:ad:be:16:4e:59:6a:48:90:c3:98:9f:a3:e4.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.4.61.206' (RSA) to the list of known hosts.
    [email protected]'s password:
    error-logs.tar.gz 100% 12MB 11.6MB/s 00:01
    scp /tmp/janus-logs.tar.gz [email protected]:/home/ryan/janus-logs.tar.gz
    [email protected]'s password:
    janus-logs.tar.gz 100% 5830KB 5.7MB/s 00:01
    [pnadmin]$

  2. After transfering the logs two files are produced as shown below.
    root@ultidesk:~/logs# ls
    error-logs.tar.gz janus-logs.tar.gz
    root@ultidesk:~/logs#

  3. After extraction the following files are created as well as a folder structre within the folder you copied the log files to.
    root@ultidesk:~/logs# tar -xvf janus-logs.tar.gz
    opt/janus/release/bin/log/server/janus_log
    opt/janus/release/bin/log/server/janus_log.1
    opt/janus/release/bin/log/server/janus_log.2
    opt/janus/release/bin/log/server/janus_log.3
    opt/janus/release/bin/log/server/janus_log.4
    opt/janus/release/bin/log/server/janus_log.5
    opt/janus/release/bin/log/server/janus_log.6
    opt/janus/release/bin/log/server/janus_log.7
    opt/janus/release/bin/log/server/janus_log.8
    opt/janus/release/bin/log/server/janus_log.9
    tmp/raid_event.log
    tmp/saslog.txt
    root@ultidesk:~/logs# ls
    error-logs.tar.gz janus-logs.tar.gz opt tmp
    root@ultidesk:~/logs# tar -xvf error-logs.tar.gz
    opt/janus/release/bin/log/server/janus_log
    opt/janus/release/VERSION
    opt/janus/jboss/server/default/log/feedback/jboss.log
    opt/janus/jboss/server/default/log/feedback/jboss.log.1
    opt/janus/jboss/server/default/log/feedback/jboss.log.2
    etc/model
    opt/janus/jboss/server/default/log/trace/jbossStackTrace-2009-08-20_10-33-07_CDT.log
    tmp/kill-runGuardedBackcalc.log
    tmp/restartJBoss.log
    var/log/messages
    var/log/messages.1
    var/log/messages.2
    var/log/messages.3
    var/log/messages.4
    var/log/upgrade_1215785121.log
    var/log/upgrade_1215786450.log
    var/log/upgrade_1215787232.log
    var/log/upgrade_1224176330.log
    var/log/upgrade_1224177537.log
    var/log/upgrade_1224178406.log
    var/log/upgrade_1237838103.log
    var/log/upgrade_1238006432.log
    var/log/upgradehistory.log
    var/log/upgrade.log
    var/log/upgrade.log.1245330683
    var/log/upgrade.log.1250782367
    var/log/upgrade_s1238170243.log
    var/log/upgrade_s1245331100.log
    var/log/upgrade_s1250782908.log
    log/sysbacktrace.00
    log/sysbacktrace.01
    log/sysbacktrace.02
    log/sysbacktrace.03
    log/sysbacktrace.04
    log/sysbacktrace.05
    log/sysbacktrace.06
    log/sysbacktrace.07
    log/sysbacktrace.08
    log/sysbacktrace.09
    log/sysbacktrace.10
    log/sysbacktrace.11
    log/sysbacktrace.12
    log/sysbacktrace.13
    log/sysbacktrace.14
    log/sysbacktrace.15
    log/sysbacktrace.16
    log/sysbacktrace.17
    log/sysbacktrace.18
    log/sysbacktrace.19
    log/sysbacktrace.20
    log/sysbacktrace.21
    log/sysbacktrace.22
    log/sysbacktrace.23
    log/sysbacktrace.24
    log/sysbacktrace.25
    log/sysbacktrace.26
    log/sysbacktrace.27
    log/sysbacktrace.28
    log/sysbacktrace.29
    log/sysbacktrace.30
    log/sysbacktrace.31
    log/sysbacktrace.32
    log/sysbacktrace.33
    log/sysbacktrace.34
    log/sysbacktrace.35
    log/sysbacktrace.36
    log/sysbacktrace.37
    log/sysbacktrace.38
    log/sysbacktrace.39
    log/sysbacktrace.40
    log/sysbacktrace.41
    log/sysbacktrace.42
    log/sysbacktrace.43
    log/sysbacktrace.44
    log/sysbacktrace.45
    log/sysbacktrace.46
    log/sysbacktrace.47
    log/sysbacktrace.48
    log/sysbacktrace.49
    log/sysbacktrace.50
    log/sysbacktrace.51
    log/sysbacktrace.52
    log/sysbacktrace.53
    log/sysbacktrace.54
    log/sysbacktrace.55
    log/sysbacktrace.56
    log/sysbacktrace.57
    log/sysbacktrace.58
    log/sysbacktrace.59
    log/sysbacktrace.60
    log/sysbacktrace.61
    log/sysbacktrace.62
    log/sysbacktrace.63
    log/sysbacktrace.64
    log/sysbacktrace.65
    log/sysbacktrace.66
    log/sysbacktrace.67
    log/sysbacktrace.68
    log/sysbacktrace.69
    log/sysbacktrace.70
    log/sysbacktrace.71
    log/sysbacktrace.72
    log/sysbacktrace.73
    log/sysbacktrace.74
    log/sysbacktrace.75
    log/sysbacktrace.76
    log/sysbacktrace.77
    log/sysbacktrace.78
    log/sysbacktrace.79
    log/sysbacktrace.80
    log/sysbacktrace.81
    log/sysbacktrace.82
    log/sysbacktrace.83
    log/sysbacktrace.84
    log/sysbacktrace.85
    log/sysbacktrace.86
    log/sysbacktrace.87
    log/sysbacktrace.88
    log/sysbacktrace.89
    log/sysbacktrace.90
    log/sysbacktrace.91
    log/sysbacktrace.92
    log/sysbacktrace.93
    log/sysbacktrace.94
    log/sysbacktrace.95
    var/log/sa/sa13
    var/log/sa/sa14
    var/log/sa/sa15
    var/log/sa/sa16
    var/log/sa/sa17
    var/log/sa/sa18
    var/log/sa/sa19
    var/log/sa/sa20
    var/log/sa/sa21
    var/log/sa/sar12
    var/log/sa/sar13
    var/log/sa/sar14
    var/log/sa/sar15
    var/log/sa/sar16
    var/log/sa/sar17
    var/log/sa/sar18
    var/log/sa/sar19
    var/log/sa/sar20
    u01/app/oracle/admin/pndb/bdump/alert_pndb.log
    u01/app/oracle/admin/pndb/bdump/pn_app.log
    tmp/package-env.txt
    tmp/diskUsage.txt

root@ultidesk:~/logs# ls
error-logs.tar.gz etc janus-logs.tar.gz log opt tmp u01 var

  1. Now executing grep for a portion of the password that MARS uses to access Windows Devices (password masked with ####). We can see that in this case every iterration of sysbacktrace.X containes 30 occurances of our password (95 files 30 occurances each = 2,850 occurances of our password):

root@ultidesk:~/logs# grep -R -c ######* *
error-logs.tar.gz:0
etc/model:0
janus-logs.tar.gz:0
log/sysbacktrace.84:30
log/sysbacktrace.77:30
log/sysbacktrace.47:30
log/sysbacktrace.82:30
log/sysbacktrace.95:30
log/sysbacktrace.22:30
log/sysbacktrace.40:30
log/sysbacktrace.10:30
log/sysbacktrace.65:30
log/sysbacktrace.74:30
log/sysbacktrace.68:30
log/sysbacktrace.60:30
log/sysbacktrace.37:30
log/sysbacktrace.59:30
log/sysbacktrace.88:30
log/sysbacktrace.01:30
log/sysbacktrace.89:30
log/sysbacktrace.38:30
log/sysbacktrace.16:30
log/sysbacktrace.09:30
log/sysbacktrace.53:30
log/sysbacktrace.13:30
log/sysbacktrace.23:30
log/sysbacktrace.44:30
log/sysbacktrace.06:30
log/sysbacktrace.35:30
log/sysbacktrace.04:30
log/sysbacktrace.67:30
log/sysbacktrace.69:30
log/sysbacktrace.64:30
log/sysbacktrace.66:30
log/sysbacktrace.93:30
log/sysbacktrace.79:30
log/sysbacktrace.51:30
log/sysbacktrace.31:30
log/sysbacktrace.83:30
log/sysbacktrace.29:30
log/sysbacktrace.39:30
log/sysbacktrace.25:30
log/sysbacktrace.85:30
log/sysbacktrace.80:30
log/sysbacktrace.50:30
log/sysbacktrace.73:30
log/sysbacktrace.34:30
log/sysbacktrace.33:30
log/sysbacktrace.90:30
log/sysbacktrace.61:30
log/sysbacktrace.08:30
log/sysbacktrace.46:30
log/sysbacktrace.07:30
log/sysbacktrace.32:30
log/sysbacktrace.30:30
log/sysbacktrace.92:30
log/sysbacktrace.56:30
log/sysbacktrace.03:30
log/sysbacktrace.00:30
log/sysbacktrace.18:30
log/sysbacktrace.21:30
log/sysbacktrace.91:30
log/sysbacktrace.94:30
log/sysbacktrace.54:30
log/sysbacktrace.28:30
log/sysbacktrace.42:30
log/sysbacktrace.05:30
log/sysbacktrace.86:30
log/sysbacktrace.17:30
log/sysbacktrace.75:30
log/sysbacktrace.78:30
log/sysbacktrace.41:30
log/sysbacktrace.55:30
log/sysbacktrace.15:30
log/sysbacktrace.24:30
log/sysbacktrace.14:30
log/sysbacktrace.26:30
log/sysbacktrace.58:30
log/sysbacktrace.43:30
log/sysbacktrace.45:30
log/sysbacktrace.71:30
log/sysbacktrace.52:30
log/sysbacktrace.62:30
log/sysbacktrace.57:30
log/sysbacktrace.11:30
log/sysbacktrace.49:30
log/sysbacktrace.19:30
log/sysbacktrace.63:30
log/sysbacktrace.36:30
log/sysbacktrace.20:30
log/sysbacktrace.48:30
log/sysbacktrace.02:30
log/sysbacktrace.87:30
log/sysbacktrace.27:30
log/sysbacktrace.70:30
log/sysbacktrace.12:30
log/sysbacktrace.72:30
log/sysbacktrace.76:30
log/sysbacktrace.81:30

  1. Here is a grep that shows where the password is actually being recorded, it includes the system ip, the domain, the username and the password. (Username, domain, and password have been masked with ###).
    root@ultidesk:~/logs# grep -R rpcclient2 * | more

    log/sysbacktrace.84:0 500 9429 9428 18 0 9244 1328 - S ? 0:00 rpcclient2 //10.20.36.233/ -W #### -U #######%############# --param 10.20.36.233 system 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 9432 9431 19 0 9116 1328 - S ? 0:00 rpcclient2 //10.4.90.12/ -W #### -U #######%############# --param 10.4.90.12 security 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 9423 9422 18 0 8896 1328 - S ? 0:00 rpcclient2 //10.8.32.40/ -W #### -U #######%############# --param 10.8.32.40 system 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 7714 7713 18 0 8776 1328 - S ? 0:00 rpcclient2 //10.20.1.93/ -W #### -U #######%############# --param 10.20.1.93 security 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 9813 9812 15 0 8672 1848 - S ? 0:00 rpcclient2 //10.16.34.21/ -W #### -U #######%############# --param 10.16.34.21 security 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 9303 9302 19 0 8448 1328 - S ? 0:00 rpcclient2 //10.30.25.130/ -W #### -U #######%############# --param 10.30.25.130 system 1 1 0 RPC-EVENTLOG
    log/sysbacktrace.84:0 500 7702 7701 21 0 8392 1328 - S ? 0:00 rpcclient2 //10.20.1.97/ -W #### -U #######%############# --param 10.20.1.97 security 1 1 0 RPC-EVENTLOG

  2. Granted access to the sysbacktrace logs is only possible with ssh access to the box however these logs if attached to a support ticket through email are sent in the clear, or if these log files are routinely dumped and stored the password is avliable in clear text. Additionally in most cases MARS will be monitoring Active Directory data in order to access Domain Controllers 'Domain Admin' rights must be included in the account.