
Decrypting WebLogic Passwords - mortenlarsen
https://blog.netspi.com/decrypting-weblogic-passwords/
======
toyg
Truth is, the whole Fusion Middleware stack is... not very hard to compromise,
even without resorting to password-cracking. Product-specific knowledge is
often enough to retrieve plaintext credentials from a number of products. The
whole Oracle ecosystem is like that -- SQLDeveloper's passwords can also be
retrieved very easily.

The unspeakable truth is, in most enterprise companies, the ability to
retrieve a lost password (when the original employee is on holiday/was
fired/stepped under a bus) is more valued than the ability to secure it.

We always talk about security theatre like it only happens at airports, but I
see lots of it in regular companies as well.

~~~
noarchy
>We always talk about security theatre like it only happens at airports, but I
see lots of it in regular companies as well.

Excel spreadsheets, shared across the network, that contain all important
company passwords - I've seen it at more than one company.

------
Smeevy
You could already do this without coding anything.

[http://recover-weblogic-password.appspot.com/](http://recover-weblogic-
password.appspot.com/)

Here's the same thing for WebSphere:

[http://www.poweredbywebsphere.com/decoder.html](http://www.poweredbywebsphere.com/decoder.html)

~~~
egru
I'm against uploading any type of sensitive information to an unknown website.

------
parasubvert
This kind of thing isn't exactly unique to WebLogic.

Privileged filesystem access generally means doom for your application's
security layer, as you'll be able to springboard into databases or other
systems from there.

If you have access to a salt file, you can generate hashes from that. If you
have access to an encryption key, you can decrypt encrypted strings. Plus, so
many configurations just use plaintext passwords.

The cool thing here is he found a way to decrypt these without having to run a
WebLogic script, which has always been a minor pain.

------
feld
It was known that Weblogic was storing encrypted passwords, but publishing
just how easy it is to decrypt them and the fact that they're using the same
key across all Weblogic installs is the real concern.

