Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

[Jacek Lipkowski <sq5bpf () andra com pl>]

On Wed, 16 Oct 2002, Mike Scher wrote:

> 1) The accounts (manuf and diag) are clearly present in the config and
> easily seen with 'show running-conf' or 'show startup-conf'

They are also documented in the Cajun guides, usually they just say 'don't
touch these accounts'

> 2) They are system accounts and cannot be deleted
> 3) They have by default the passwords indicated by Mr. Lipkowski
> 4) They CAN have their passwords changed by the 'root user' and the
> changes save sucessfully across reloads.

The root user can always change the passwords in any version , just
download the config file, make modifications to it, and upload it back
again via tftp (this was mentioned in the advisory as a workaround).

[...]
> While testing, we noticed that accounts with the same password show the
> same saved hash, indicating that only one salt is in use.  That may be a
> legacy item on the P550, which is discontinued and stuck at 4.3.5 version
> software.

No, the salt is static in all "bigger" cajuns. This item was also
mentioned during my discussion with Avaya. Actually i wouldn't be
surprised if all cajuns used the same hash (which is easy to check - just
compare the hashes from my advisory with the hashes on your switch).

btw does anyone know what it is? it looks like the result of a unix md5
crypt, which is $1$salt$hash, but with the $1$salt part cut off.

jacek