[27492] in bugtraq
Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882
daemon@ATHENA.MIT.EDU (Jacek Lipkowski)
Fri Oct 18 00:02:48 2002
Date: Thu, 17 Oct 2002 11:14:48 +0200 (CEST)
From: Jacek Lipkowski <sq5bpf@andra.com.pl>
To: Mike Scher <mscher@neohapsis.com>
In-Reply-To: <Pine.LNX.4.44.0210161803400.13299-100000@7of9.neohapsis.com>
Message-ID: <Pine.LNX.4.44.0210171036510.6968-100000@hash.intra.andra.com.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 16 Oct 2002, Mike Scher wrote:
> 1) The accounts (manuf and diag) are clearly present in the config and
> easily seen with 'show running-conf' or 'show startup-conf'
They are also documented in the Cajun guides, usually they just say 'don't
touch these accounts'
> 2) They are system accounts and cannot be deleted
> 3) They have by default the passwords indicated by Mr. Lipkowski
> 4) They CAN have their passwords changed by the 'root user' and the
> changes save sucessfully across reloads.
The root user can always change the passwords in any version , just
download the config file, make modifications to it, and upload it back
again via tftp (this was mentioned in the advisory as a workaround).
[...]
> While testing, we noticed that accounts with the same password show the
> same saved hash, indicating that only one salt is in use. That may be a
> legacy item on the P550, which is discontinued and stuck at 4.3.5 version
> software.
No, the salt is static in all "bigger" cajuns. This item was also
mentioned during my discussion with Avaya. Actually i wouldn't be
surprised if all cajuns used the same hash (which is easy to check - just
compare the hashes from my advisory with the hashes on your switch).
btw does anyone know what it is? it looks like the result of a unix md5
crypt, which is $1$salt$hash, but with the $1$salt part cut off.
jacek
