[NEWS] Cisco ATA-186 Admin Password Can be Trivially Circumvented

From: support@securiteam.com
Date: 05/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 12 May 2002 14:36:55 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco ATA-186 Admin Password Can be Trivially Circumvented
------------------------------------------------------------------------

SUMMARY

The <http://www.cisco.com/warp/public/cc/pd/as/180/186/ > Cisco ATA-186
Analog Telephone adapter interfaces "legacy" analog telephones to VoIP
networks. The adapter can be configured via a web interface that typically
requires a password to access.

Unfortunately, this password protection can be trivially circumvented. On
two ATA-186s that we tested, both running that latest released firmware a
simple HTTP POST containing a single byte would cause the ATA-186 to
display its configuration screen.

DETAILS

Vulnerable systems:
Cisco ATA-186 firmware version 2.14

Example:
Using curl, for example:

curl -d a http://ata186.example.com/dev

Reveals the configuration for the device. Since the device does not hash
its password, the actual password can be gleaned from this screen. The
device can also be reconfigured in this way by constructing an HTTP POST
with the appropriate parameters.

The same URL is used to authenticate to the device and modify its
configuration. A review of the HTML source code for the configuration tool
screen reveals no hidden parameters that could be used to maintain state.
As a result, we believe that the device is using the type and number of
HTTP inputs to determine whether to allow configuration.

For example, if three "ChangeUIPasswd" arguments are supplied to the
device without any values, it displays the login screen. Similarly, if
three ChangeUIPasswd values are supplied, one with a value that does not
match the password stored in the device's configuration, the login screen
is displayed again.

If anything else is supplied, the device appears to assume that the user
has authenticated and is supplying a configuration. Humorously, passing
only two "ChangeUIPasswd" arguments to the device causes it to allow
configuration.

Solution:
We were unable to find a setting to disable the ATA-186's web-based
configuration tool. Until this problem is resolved by Cisco, we highly
recommend that anyone using or deploying Cisco ATA-186s be aware of this
issue and implement appropriate filtering to prevent external attacks.
Firms using the ATA-186 as an access device to provide long distance or
other voice services may want to explore whether this vulnerability could
result in customer abuse.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pmk-bugtraq@wealsowalkdogs.com> Patrick Michael Kane.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages