Cisco ATA 186 Analog Telephone Adaptor Discloses Device Password to Remote Users and May Also Let Remote Users Modify the Configuration Without Having the Password
SecurityTracker Alert ID: 1004281|
SecurityTracker URL: http://securitytracker.com/id/1004281
(Links to External Site)
Date: May 11 2002
Disclosure of authentication information, Modification of system information, User access via network|
Exploit Included: Yes |
Version(s): Firmware version 2.14|
An authentication vulnerability was reported in Cisco's ATA 186 Analog Telephone Adaptor. A remote user can determine the management password or can gain access to the management interface to change the configuration.|
It is reported that a remote user can generate an HTTP POST containing a single byte to cause the ATA-186 to display its configuration screen, which includes the plain text password for the device.
A demonstration exploit command using the curl utility is provided:
curl -d a http://[targetdevice]/dev
It is also reported that a remote user may be able to reconfigure the device even without the password, due to a potentially weak authentication mechanism. According to the report, the device may be using the type and number of HTTP inputs to determine whether to allow configuration. For example, a remote user can craft a URL with two "ChangeUIPasswd" arguments to gain access to the device to modify the configuration.
A remote user can obtain the plain text device password. A remote user may be able to modify the configuration without having the password.|
No solution was available at the time of this entry.|
Vendor URL: www.cisco.com/warp/public/cc/pd/as/180/186/ (Links to External Site)
Access control error, Authentication error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 9 May 2002 10:30:11 -0700|
Subject: Cisco ATA-186 admin password can be trivially circumvented
The Cisco ATA-186 Analog Telephone adapter interfaces "legacy" analog
telephones to VoIP networks. The adapter can be configured via a web
interface, that typically requires a password to access.
Unfortunately, this password protection can be trivially circumvented.
On two ATA-186s that we tested, both running that latest released
firmware (v2.14) a simple HTTP POST containing a single byte would
cause the ATA-186 to display its configuration screen.
Using curl, for example:
curl -d a http://ata186.example.com/dev
Reveals the configuration for the device. Since the device does not
hash its password, the actual password can be gleaned from this
screen. The device can also be reconfigured in this way by
constructing an HTTP POST with the appropriate parameters.
The same URL is used to authenticate to the device and modify its
configuration. A review of the HTML source code for the configuration
tool screen reveals no hidden parameters that could be used to
maintain state. As a result, we believe that the device is using the
type and number of HTTP inputs to determine whether to allow
For example, if three "ChangeUIPasswd" arguments are supplied to the
device without any values, it displays the login screen. Similarly,
if three ChangeUIPasswd values are supplied, one with a value that
does not match the password stored in the device's configuration, the
login screen is displayed again.
If anything else is supplied, the device appears to assume that the
user has authenticated and is supplying a configuration. Humorously,
passing only two "ChangeUIPasswd" arguments to the device causes it to
We were unable to find a setting to disable the ATA-186's web-based
configuration tool. Until this problem is resolved by Cisco, we
highly recommend that anyone using or deploying Cisco ATA-186s be
aware of this issue and implement appropriate filtering to prevent
external attacks. Firms using the ATA-186 as an access device to
provide long distance or other voice services may want to explore
whether this vulnerability could result in customer abuse.
Patrick Michael Kane
We Also Walk Dogs