Cisco ATA-186 admin password can be trivially circumvented

From: Patrick Michael Kane (pmk-bugtraqat_private)
Date: Thu May 09 2002 - 10:30:11 PDT

Next message: Information Anarchy 2K01: "Two (2) Critical Path inJoin V4.0 Directory Server Issues"

Previous message: Andrew Hintz (Drew): "SafeWeb Vulnerability - Fingerprinting Websites Using Traffic Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Cisco ATA-186 Analog Telephone adapter interfaces "legacy" analog
telephones to VoIP networks.  The adapter can be configured via a web
interface, that typically requires a password to access.

Unfortunately, this password protection can be trivially circumvented.
On two ATA-186s that we tested, both running that latest released
firmware (v2.14) a simple HTTP POST containing a single byte would
cause the ATA-186 to display its configuration screen.

Using curl, for example:

curl -d a http://ata186.example.com/dev

Reveals the configuration for the device.  Since the device does not
hash its password, the actual password can be gleaned from this
screen.  The device can also be reconfigured in this way by
constructing an HTTP POST with the appropriate parameters.

The same URL is used to authenticate to the device and modify its
configuration.  A review of the HTML source code for the configuration
tool screen reveals no hidden parameters that could be used to
maintain state.  As a result, we believe that the device is using the
type and number of HTTP inputs to determine whether to allow
configuration.

For example, if three "ChangeUIPasswd" arguments are supplied to the
device without any values, it displays the login screen.  Similarly,
if three ChangeUIPasswd values are supplied, one with a value that
does not match the password stored in the device's configuration, the
login screen is displayed again.

If anything else is supplied, the device appears to assume that the
user has authenticated and is supplying a configuration.  Humorously,
passing only two "ChangeUIPasswd" arguments to the device causes it to
allow configuration.

We were unable to find a setting to disable the ATA-186's web-based
configuration tool.  Until this problem is resolved by Cisco, we
highly recommend that anyone using or deploying Cisco ATA-186s be
aware of this issue and implement appropriate filtering to prevent
external attacks.  Firms using the ATA-186 as an access device to
provide long distance or other voice services may want to explore
whether this vulnerability could result in customer abuse.

Best,
-- 
Patrick Michael Kane
We Also Walk Dogs
<pmk-bugtraqat_private>

Next message: Information Anarchy 2K01: "Two (2) Critical Path inJoin V4.0 Directory Server Issues"
Previous message: Andrew Hintz (Drew): "SafeWeb Vulnerability - Fingerprinting Websites Using Traffic Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 10 2002 - 20:02:56 PDT