Cisco ATA 186 Analog Telephone Adaptor Discloses Device Password to Remote Users and May Also Let Remote Users Modify the Configuration Without Having the Password - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Device (VoIP/Phone/FAX) > Cisco ATA Analog Telephone Adaptor

Cisco ATA 186 Analog Telephone Adaptor Discloses Device Password to Remote Users and May Also Let Remote Users Modify the Configuration Without Having the Password

SecurityTracker Alert ID: 1004281

SecurityTracker URL: http://securitytracker.com/id/1004281

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 11 2002

Impact: Disclosure of authentication information, Modification of system information, User access via network

Exploit Included: Yes

Version(s): Firmware version 2.14

Description: An authentication vulnerability was reported in Cisco's ATA 186 Analog Telephone Adaptor. A remote user can determine the management password or can gain access to the management interface to change the configuration.

It is reported that a remote user can generate an HTTP POST containing a single byte to cause the ATA-186 to display its configuration screen, which includes the plain text password for the device.

A demonstration exploit command using the curl utility is provided:

curl -d a http://[targetdevice]/dev

It is also reported that a remote user may be able to reconfigure the device even without the password, due to a potentially weak authentication mechanism. According to the report, the device may be using the type and number of HTTP inputs to determine whether to allow configuration. For example, a remote user can craft a URL with two "ChangeUIPasswd" arguments to gain access to the device to modify the configuration.

Impact: A remote user can obtain the plain text device password. A remote user may be able to modify the configuration without having the password.

Solution: No solution was available at the time of this entry.

Vendor URL: www.cisco.com/warp/public/cc/pd/as/180/186/ (Links to External Site)

Cause: Access control error, Authentication error

Underlying OS:

Message History: This archive entry has one or more follow-up message(s) listed below.

(Cicso Issues Fix) Re: Cisco ATA 186 Analog Telephone Adaptor Discloses Device Password to Remote Users and May Also Let Remote Users Modify the Configuration Without Having the Password (Cisco Systems Product Security Incident Response Team <psirt@cisco.com>)
Cisco has issued a fix.

Source Message Contents

Date: Thu, 9 May 2002 10:30:11 -0700
Subject: Cisco ATA-186 admin password can be trivially circumvented


The Cisco ATA-186 Analog Telephone adapter interfaces "legacy" analog
telephones to VoIP networks.  The adapter can be configured via a web
interface, that typically requires a password to access.

Unfortunately, this password protection can be trivially circumvented.
On two ATA-186s that we tested, both running that latest released
firmware (v2.14) a simple HTTP POST containing a single byte would
cause the ATA-186 to display its configuration screen.

Using curl, for example:

curl -d a http://ata186.example.com/dev

Reveals the configuration for the device.  Since the device does not
hash its password, the actual password can be gleaned from this
screen.  The device can also be reconfigured in this way by
constructing an HTTP POST with the appropriate parameters.

The same URL is used to authenticate to the device and modify its
configuration.  A review of the HTML source code for the configuration
tool screen reveals no hidden parameters that could be used to
maintain state.  As a result, we believe that the device is using the
type and number of HTTP inputs to determine whether to allow
configuration.

For example, if three "ChangeUIPasswd" arguments are supplied to the
device without any values, it displays the login screen.  Similarly,
if three ChangeUIPasswd values are supplied, one with a value that
does not match the password stored in the device's configuration, the
login screen is displayed again.

If anything else is supplied, the device appears to assume that the
user has authenticated and is supplying a configuration.  Humorously,
passing only two "ChangeUIPasswd" arguments to the device causes it to
allow configuration.

We were unable to find a setting to disable the ATA-186's web-based
configuration tool.  Until this problem is resolved by Cisco, we
highly recommend that anyone using or deploying Cisco ATA-186s be
aware of this issue and implement appropriate filtering to prevent
external attacks.  Firms using the ATA-186 as an access device to
provide long distance or other voice services may want to explore
whether this vulnerability could result in customer abuse.

Best,
-- 
Patrick Michael Kane
We Also Walk Dogs
<pmk-bugtraq@wealsowalkdogs.com>

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC