Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
From: Jacek Lipkowski <sq5bpf () andra com pl>
Date: Thu, 17 Oct 2002 11:14:48 +0200 (CEST)

On Wed, 16 Oct 2002, Mike Scher wrote:

1) The accounts (manuf and diag) are clearly present in the config and
easily seen with 'show running-conf' or 'show startup-conf'

They are also documented in the Cajun guides, usually they just say 'don't
touch these accounts'

2) They are system accounts and cannot be deleted
3) They have by default the passwords indicated by Mr. Lipkowski
4) They CAN have their passwords changed by the 'root user' and the
changes save sucessfully across reloads.

The root user can always change the passwords in any version , just
download the config file, make modifications to it, and upload it back
again via tftp (this was mentioned in the advisory as a workaround).

While testing, we noticed that accounts with the same password show the
same saved hash, indicating that only one salt is in use.  That may be a
legacy item on the P550, which is discontinued and stuck at 4.3.5 version

No, the salt is static in all "bigger" cajuns. This item was also
mentioned during my discussion with Avaya. Actually i wouldn't be
surprised if all cajuns used the same hash (which is easy to check - just
compare the hashes from my advisory with the hashes on your switch).

btw does anyone know what it is? it looks like the result of a unix md5
crypt, which is $1$salt$hash, but with the $1$salt part cut off.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]