Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: cisc5341.htm

Cisco ATA-186 admin password can be trivially circumvented



13th May 2002 [SBWID-5341]
COMMAND

	Cisco ATA-186 admin password can be trivially circumvented

SYSTEMS AFFECTED

	Cisco ATA-186

PROBLEM

	In Patrick Michael Kane [http://www.wealsowalkdogs.com] post :
	

	The Cisco ATA-186 Analog Telephone adapter interfaces \"legacy\"  analog
	telephones to VoIP networks. The adapter can be  configured  via  a  web
	interface, that typically requires a password to access.
	

	Unfortunately, this password protection can be  trivially  circumvented.
	On two ATA-186s that  we  tested,  both  running  that  latest  released
	firmware (v2.14) a simple HTTP  POST  containing  a  single  byte  would
	cause the ATA-186 to display its configuration screen.
	

	Using curl, for example:
	

	curl -d a http://ata186.example.com/dev

	

	Reveals the configuration for the device.  Since  the  device  does  not
	hash its password, the actual password can be gleaned from this  screen.
	The device can also be reconfigured in this way by constructing an  HTTP
	POST with the appropriate parameters.
	

	The same URL is used to  authenticate  to  the  device  and  modify  its
	configuration. A review of the HTML source code  for  the  configuration
	tool screen reveals no hidden parameters that could be used to  maintain
	state. As a result, we believe that the device is  using  the  type  and
	number of HTTP inputs to determine whether to allow configuration.
	

	For example, if three \"ChangeUIPasswd\" arguments are supplied  to  the
	device without any values, it displays the login screen.  Similarly,  if
	three ChangeUIPasswd values are supplied, one with  a  value  that  does
	not match the password stored in the device\'s configuration, the  login
	screen is displayed again.
	

	If anything else is supplied, the device  appears  to  assume  that  the
	user has authenticated and is  supplying  a  configuration.  Humorously,
	passing only two \"ChangeUIPasswd\" arguments to the  device  causes  it
	to allow configuration.

SOLUTION

	 Update  (24 May 2002)

	 ======

	

	See :
	

	 http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH