Bugtraq mailing list archives

Re: Cisco Security Advisory: IOS HTTP authorization vulnerability

From: "Peder Angvall" <peder () angvall com>
Date: Tue, 3 Jul 2001 12:55:08 -0500

From RFC 1994 (CHAP):


"CHAP requires that the secret be available in plaintext form.
   Irreversably encrypted password databases commonly available cannot
   be used."


Peder

----- Original Message -----
From: "Carson Gaspar" <carson () taltos org>
To: "Eric Vyncke" <evyncke () cisco com>; <bugtraq () securityfocus com>
Sent: Monday, July 02, 2001 5:35 PM
Subject: Re: Cisco Security Advisory: IOS HTTP authorization vulnerability



--On Friday, June 29, 2001 10:00 AM +0200 Eric Vyncke <evyncke () cisco com>
wrote:

As you probably know, for some password (used notably for SNMP, CHAP,
PAP,  IKE, ...) there is a protocol need to get those passwords in the
clear.  Hence, the obfuscation mechanism will always be reversible. Even
using 3DES  will require a hard coded key hidden somewhere in the IOS
code (and a  'simple' reverse engineering will expose this key).

Of course, suggestions are welcome


For CHAP, do you actually need the password in the clear, or do you need
the password+realm hash? The latter is far less dangerous.

--
Carson

Current thread:

Re: Cisco Security Advisory: IOS HTTP authorization vulnerability Carson Gaspar (Jul 03)
- Re: Cisco Security Advisory: IOS HTTP authorization vulnerability Peder Angvall (Jul 04)