Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Patrick Michael Kane (pmk-bugtraqwealsowalkdogs.com)
Date: Thu May 09 2002 - 12:30:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The Cisco ATA-186 Analog Telephone adapter interfaces "legacy" analog
    telephones to VoIP networks. The adapter can be configured via a web
    interface, that typically requires a password to access.

    Unfortunately, this password protection can be trivially circumvented.
    On two ATA-186s that we tested, both running that latest released
    firmware (v2.14) a simple HTTP POST containing a single byte would
    cause the ATA-186 to display its configuration screen.

    Using curl, for example:

    curl -d a http://ata186.example.com/dev

    Reveals the configuration for the device. Since the device does not
    hash its password, the actual password can be gleaned from this
    screen. The device can also be reconfigured in this way by
    constructing an HTTP POST with the appropriate parameters.

    The same URL is used to authenticate to the device and modify its
    configuration. A review of the HTML source code for the configuration
    tool screen reveals no hidden parameters that could be used to
    maintain state. As a result, we believe that the device is using the
    type and number of HTTP inputs to determine whether to allow

    For example, if three "ChangeUIPasswd" arguments are supplied to the
    device without any values, it displays the login screen. Similarly,
    if three ChangeUIPasswd values are supplied, one with a value that
    does not match the password stored in the device's configuration, the
    login screen is displayed again.

    If anything else is supplied, the device appears to assume that the
    user has authenticated and is supplying a configuration. Humorously,
    passing only two "ChangeUIPasswd" arguments to the device causes it to
    allow configuration.

    We were unable to find a setting to disable the ATA-186's web-based
    configuration tool. Until this problem is resolved by Cisco, we
    highly recommend that anyone using or deploying Cisco ATA-186s be
    aware of this issue and implement appropriate filtering to prevent
    external attacks. Firms using the ATA-186 as an access device to
    provide long distance or other voice services may want to explore
    whether this vulnerability could result in customer abuse.


    Patrick Michael Kane
    We Also Walk Dogs