Jump to content
Praetorian503

Sparx Systems Enterprise Architect 9.3.931 Corporate Password Disclosure

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

Sparx Systems Enterprise Architect version 9.3.931 stores user passwords in the database simply XORed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function.

Subject
=======
Simple password obfuscation in Sparx Systems "Enterprise Architect" when using server based repositories

Affected product
================
Product: Enterprise Architect
Vendor: Sparx Systems

Affected versions
=================
Tested with 9.3.931 Corporate, other versions likely to be affected too.

Description
===========
When using server based repositories in Enterprise Architect the user account information is stored in the database table t_secuser. The column "Password" contains the user password in an obfuscated format. The content is simply the user password XOR'ed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function. Hence everyone with access to the database (which is in general every user with access to the repository) is able to decode the passwords of all other users.

Impact
======
Disclosure of user passwords.

Possible mitigating factors
===========================
Beginning with version 7.1 Enterprise Architect offers a feature where project owners can provide users with a shortcut to the project that contains the database connection string in an encrypted format. This should avoid the need to reveal database access credentials to end users. 

Conclusion
==========
Everyone with access to the database containing the repository is able to decode the passwords of all users. Irrespective of the fact that ordinary end users may be detained from gaining access to the database using the "Encrypt Connection String" feature, at least SQL admins may still read the t_secuser table and are therefore able decode the passwords.

Chronology
==========
Vendor informed: 2012/01/28
Vendor reminded: 2012/02/06
Vender response: 2012/02/07

Summary of vendor response: 
- "We are aware of these limitations"
- "No fixes are scheduled at this time."

Released to public: 2012/02/12

Reported by
===========
Holm Diening
Dept. Privacy and Information Security

E-Mail: holm.diening@gematik.de
www.gematik.de

gematik
Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH Friedrichstraße 136
10117 Berlin
Amtsgericht Berlin-Charlottenburg HRB 96351 B
Geschäftsführer: Prof. Dr. Arno Elmer

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...