DCE bug allows "screenscraping" of backup share credentials

DCIM_Support · ‎2020-07-03

I discovered to day that the windows backup share setting dialog allows you to screen scrape the password of the user. Not good since this is often the users windows / domain password.

FYI I used AsteriskKey to get the passwords.

The same is true for every password / sensitive field in the dialog boxes that are used to set up / edit an SNMP config template.

Version of DCE is 7.4.3

Thought it best to not post this publicly...

DCIM_Support · ‎2020-07-03

Hi Garry,

I can and will forward this to engineering. You've tested this on previously saved screens and not something you just entered correct?

Steve

DCIM_Support · ‎2020-07-03

I tested it today on several dialog boxes in the SNMP template creation and editing, and was also able to find out a colleagues laptop password from the Backup screen. I knew it used to be possible for all users on DCE but this got corrected at version 7.4+?

The clue was that the field lengths were shorter (less asterisks were displayed) than normal since the 7.4+ update. The screen scraper returns DEFAULT_PASSWORD on 'protected' password fields which is actually displayed as **************** - 16 asterisks as there are 16 chars in "DEFAULT_PASSWORD"

An example today also was that I was able to scrape the passwords from NMC that had their credentials changed using a saved SNMP config template. Actually very useful 😀 arguably not secure. Truth is I can't do any of this unless I have the DCE server Administrative access anyway, so is it that insecure?

The image above is an example of what I mean, (but is not the one I did today)

DCIM_Support · ‎2020-07-03

Hi Garry,

Yea, looks like they fixed it at least in 7.4.3. I tried and as long as I save and go back to the dialog, I just see default_password too:

Steve

DCIM_Support · ‎2020-07-03

Hi Steve - I was on another site on Thursday and managed to get the customers share password from their backup config using this same method. I had not set up this backup or logged into this server locally before until Thursday and the server is on V7.4.3.

I have no idea why we are getting what appears to be different behaviour. The only thing I can think of is that the Servers I was connected to were all upgraded from previous versions. Was the one you were using a clean install at 7.4.3 or was it upgraded too?

DCIM_Support · ‎2020-07-03

Hi Garry,

I think it may have been a restore. Do you know what version(s) of java they have on their system?

Steve

DCIM_Support · ‎2020-07-03

Hey Garry,

Did you find out anything more about the customer's client....any other versions of Java? After requesting that kind of info I thought more about your suggestion about it being a system that has been updated multiple times vs something that has been recently restored. I'm thinking that really should't matter. You're not capturing anything from the server, you're pulling the data from the client. The client should pull any required data regardless of the server. An install of the client on a fresh system should be able to tell.

Steve

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.

DCE bug allows &quot;screenscraping&quot; of backup share credentials

DCE bug allows "screenscraping" of backup share credentials

DCE bug allows "screenscraping" of backup share credentials