Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
From: Mike Scher <mscher () neohapsis com>
Date: Wed, 16 Oct 2002 18:20:36 -0500 (CDT)

In response to tbe below, we examined this issue on a Cajun P550 (not
550R) with software version 4.3.5.

We found:

1) The accounts (manuf and diag) are clearly present in the config and
easily seen with 'show running-conf' or 'show startup-conf'
2) They are system accounts and cannot be deleted
3) They have by default the passwords indicated by Mr. Lipkowski
4) They CAN have their passwords changed by the 'root user' and the
changes save sucessfully across reloads.

We'd ask that others verify (for other software/hardware combinations)
whether they can change the account passwords ( 'username manuf password
foo' ), and save them ( 'copy running-config startup-config' ), reload,
and check whether the passwords changes have saved.

As an aside:

While testing, we noticed that accounts with the same password show the
same saved hash, indicating that only one salt is in use.  That may be a
legacy item on the P550, which is discontinued and stuck at 4.3.5 version

We'd ask others to check whether this (minor, but nevertheless real) issue
is present in newer revisions as well.


Michael Scher         |     Director, Neohapsis Labs
mscher () neohapsis com  |     General Counsel

On Tue, 15 Oct 2002, Jacek Lipkowski wrote:

Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

1. Problem Description

Two undocummented accounts with default passwords allow access via telnet
and the web interface to Cajun P550R/P580/P880/P882 switches. Both
accounts give developer access to the switch. The vulnerability can be
avioded by upgrading to software version 5.3.0 or later and disabling the

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P580 software version 5.2.14

All previous software versions are assumed to be vulnerable. This
problem is present in P550R,P580,P880 and P882.

3. Details

The vulnerable firmware installs the following strings into the switch
configuration by default:

username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
access-type admin
username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
access-type read-write
username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
access-type read-write

The only documented password is for the root user. This user can't
change the diag and manuf accounts.

The un-documented passwords are:

user  password
----  --------
diag  danger
manuf xxyyzz

Both of these accounts give developer access to the switch (read-write
access-type), which is more priviliged than normal administrative access
(admin access-type).

4. Recommendations

As always it is good administrative practice to block access to
administrative interfaces (telnet, web) at the firewall. Upgrading to
software version 5.3.0 or later and disabling the accounts resolves ths

As a temporary workaround download the configuration file via tftp, edit
out these accounts, or change their password hashes, and upload it to the

5. Vendor status

AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
responsive and worked promptly on the problem. I have agreed to release the
information after the release of the official AVAYA advisory. The official
Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
Avaya support site http://support.avaya.com.

Official AVAYA security advisories are located at

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.

Jacek Lipkowski sq5bpf () andra com pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]