Bugtraq mailing list archives

Re: Aastra IP Telephone encrypted .tuz configuration file leakage

From: Timo Juhani Lindfors <timo.lindfors () iki fi>
Date: Mon, 18 Feb 2013 16:13:26 +0200

noreply () aastra com writes:

Vulnerability fixed in August 2012 release of anacrypt V1.04 encryption tool.  Available on the www.aastra.com 
website.

IP Phone Configuration File Encryption Tool - Microsoft Windows (Version 1.04, 08/2012, gz) (English, 45.78 KB) 

IP Phone Configuration File Encryption Tool - Linux 32 bit (Version 1.04, 08/2012, gz) (English, 9.18 KB) IP Phone 
Configuration File 

Encryption Tool - Linux 64 bit (Version 1.04, 08/2012, gz) (English, 9.89 KB)


Hmm, are you perhaps referring to some other vulnerability? It seems to
me that even V1.04 still uses ECB. If an input string that consists of
only the letter "A" repeated 48 times is encrypted using password
"foo123" the ciphertext shows blocks that are a clear sign of ECB:

$ printf AAAAAAAA  > 000000000000.cfg
$ printf AAAAAAAA >> 000000000000.cfg
$ printf AAAAAAAA >> 000000000000.cfg
$ printf AAAAAAAA >> 000000000000.cfg
$ printf AAAAAAAA >> 000000000000.cfg
$ printf AAAAAAAA >> 000000000000.cfg
$ anacrypt 000000000000.cfg -p foo123
Reading ./000000000000.cfg
Writing 000000000000.tuz

$ hexdump -C 000000000000.tuz
00000000  55 42 43 7f 80 f8 5c 98  0f fc af 26 9e da 16 8d  |UBC...\....&....|
00000010  00 81 57 9f 6f 75 35 30  b6 9d 8a 95 3a 43 2d bb  |..W.ou50....:C-.|
00000020  5d ed 1c 34 2b 90 3d 55  11 ed 1c 34 2b 90 3d 55  |]..4+.=U...4+.=U|
00000030  11 ed 1c 34 2b 90 3d 55  11 ed 1c 34 2b 90 3d 55  |...4+.=U...4+.=U|
00000040  11 ed 1c 34 2b 90 3d 55  11 89 b5 8a a6 c8 99 20  |...4+.=U....... |
00000050  c3 ed 1c 34 2b 90 3d 55  11                       |...4+.=U.|
00000059

$ anacrypt -h

Provides encryption of the configuration files used for the
family of Aastra IP phones, using 56bit triple-DES and site-specific keys.

Copyright (c) 2005-2012, Aastra Technologies, Ltd.
Copyright (c) 1999, Philip J. Erdelsky

anacrypt version: 1.0.4
Usage:
anacrypt {infile.cfg|-d <dir>} [-p password] [-m] [-i] [-v] [-h]
-d <dir> Specifes that all .cfg files in <dir> should be encrypted
[-p passwords] Specify password used to generate keys
-m Generate MAC.tuz files that are phone specific
-v1 Use version 1 encryption(Compatible with older phone models) 
-i Generate security.tuz file
-h Show this help screen

Current thread:

Re: Aastra IP Telephone encrypted .tuz configuration file leakage noreply (Feb 14)
- Re: Aastra IP Telephone encrypted .tuz configuration file leakage Timo Juhani Lindfors (Feb 18)