The Cisco ATA-186 Analog Telephone adapter interfaces "legacy" analog telephones to VoIP networks. The adapter can be configured via a web interface, that typically requires a password to access. Unfortunately, this password protection can be trivially circumvented. On two ATA-186s that we tested, both running that latest released firmware (v2.14) a simple HTTP POST containing a single byte would cause the ATA-186 to display its configuration screen. Using curl, for example: curl -d a http://ata186.example.com/dev Reveals the configuration for the device. Since the device does not hash its password, the actual password can be gleaned from this screen. The device can also be reconfigured in this way by constructing an HTTP POST with the appropriate parameters. The same URL is used to authenticate to the device and modify its configuration. A review of the HTML source code for the configuration tool screen reveals no hidden parameters that could be used to maintain state. As a result, we believe that the device is using the type and number of HTTP inputs to determine whether to allow configuration. For example, if three "ChangeUIPasswd" arguments are supplied to the device without any values, it displays the login screen. Similarly, if three ChangeUIPasswd values are supplied, one with a value that does not match the password stored in the device's configuration, the login screen is displayed again. If anything else is supplied, the device appears to assume that the user has authenticated and is supplying a configuration. Humorously, passing only two "ChangeUIPasswd" arguments to the device causes it to allow configuration. We were unable to find a setting to disable the ATA-186's web-based configuration tool. Until this problem is resolved by Cisco, we highly recommend that anyone using or deploying Cisco ATA-186s be aware of this issue and implement appropriate filtering to prevent external attacks. Firms using the ATA-186 as an access device to provide long distance or other voice services may want to explore whether this vulnerability could result in customer abuse. Best, -- Patrick Michael Kane We Also Walk Dogs <pmk-bugtraq@wealsowalkdogs.com>
