You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Tibco/README.md
+13-6Lines changed: 13 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,13 @@
1
-
== Introduction
1
+
# Tibco password decryption exploit
2
+
3
+
## Introduction
2
4
3
5
During a pen-test of an internally developed application, I discovered that the engineers in question had re-used a commercial Java library for password obfuscation.
4
6
5
7
While their application was not part of a Tibco stack, nor did it use Tibco, they did make use of Tibco's "*ObfuscationEngine*". On Tibco systems, this tool is used to obfuscate (and sometimes encrypt) passwords for safe storage in configuration files.
6
8
7
9
8
-
== Background ==
10
+
##Background
9
11
10
12
Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
11
13
@@ -26,7 +28,7 @@ and
26
28
Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
27
29
28
30
29
-
== Issues ==
31
+
##Issues
30
32
31
33
The first statement does not make clear the risks that are involved, while the second statement is blatantly incorrect.
32
34
@@ -48,7 +50,7 @@ By analyzing this JAR file, I recovered the fixed key. Using that I wrote a smal
48
50
The code is provided here in this repository as “decrypt.java”.
49
51
50
52
51
-
== Impact ==
53
+
##Impact
52
54
53
55
Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries.
54
56
@@ -57,7 +59,7 @@ All you need are exfiltrated secret strings that start with the characters #!.
57
59
This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
58
60
59
61
60
-
== Instructions ==
62
+
##Instructions
61
63
62
64
Compile with:
63
65
@@ -72,7 +74,7 @@ Examples of running, with secrets retrieved from websites and forums:
72
74
tibco
73
75
74
76
75
-
== Outcome ==
77
+
##Outcome
76
78
77
79
I have shared my findings internally with my client. I have advised them to A) stop including Tibco's copyrighted classes and libraries into their own Java applications, B) replace all secrets encrypted using this method, as they should be considered compromised.
78
80
@@ -89,3 +91,8 @@ The text now reads:
89
91
"*The fixed key is compatible with earlier versions of TIBCO Runtime Agent but should not be treated as secure. A machine key or custom encryption key should be used whenever possible.*"
90
92
91
93
94
+
## CVE / Vulnerability information
95
+
96
+
No CVE was awarded as the vendor did not recognize this as a vulnerability. This is intended functionality, which "works as designed".
0 commit comments