[cisco-voip] UCOS Password Recovery (not reset)

Sun Feb 2 20:29:39 EST 2014

I've received a few messages off list regarding the possibility of recovering (as opposed to just resetting) a cluster security password from a non-rooted, patched UCOS 6.x-9.x host.  Short answer; yes, it's possible, contrary to the official responses...https://supportforums.cisco.com/thread/2164756
Disclaimer:What's discussed below is best done in a lab environment and should never be done in production.  It may render your box unsupportable, make your hair fall out or give you the urge to bark like a dog in meetings.
That being said, I've actually had to do this on a production host due to the fact that we inherited the environment but not all the passwords.  The choice was either take one host down for 20 minutes to copy a file or take a longer outage on every host in the cluster as required by the official Cisco password reset process.  Plus the official process is a change, so tack on a week to get approval from change management.http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_6_1/cucos/iptpch2.html
Of course it's well known that the platformConfig.xml file contains the encrypted passwords, but so far I haven't found any existing utilities to perform the decryption.  Ended up writing one in C# this weekend; could use some volunteers to test it if anyone is interested.  You point it toward your plaformConfig.xml file and it will output the following...
Localhost Admin Name & PasswordSFTP PasswordCluster Security PasswordApplication User Name & Password
Needless to say, the hard part is extracting this file from a non-rooted, patched UCOS host...
/usr/local/platform/conf/platformConfig.xml
I've only found two surefire ways to do it without rooting, but both require shutting down the host and booting to a live Linux ISO.  If you're using a VM, create a snapshot between shutting down and booting to the ISO.  If you accidentally change/delete something or the UCOS volumes are not cleanly dismounted (you hit the power), you may very well hose the box.
Local Copy to TFTP MethodCreate a scratch XML file on your workstation.  Can't be zero-length, so enter some junk text.Upload scratch XML file to the host's TFTP directory using the GUI.Reboot the host to a live Linux ISO.Mount the '/' and '/common' volumes.Use 'cat' to copy the contents of platformConfig.xml to the scratch file in the TFTP directory.  A straight copy would seem easier, but will not work due to the security settings of the newly created file.Reboot the host, let it boot to UCOS as usual.Use a TFTP client to download the scratch XML file from the host's TFTP server.
Remote Copy MethodReboot the host to a live Linux ISO.Configure networking.Mount the '/' and '/common' volumes.Use your favorite remote copy method (TFTP, FTP, SCP) to copy platformConfig.xml to a remote host.Reboot the host, let it boot to UCOS as usual.
The first option requires no knowledge of Linux; the second is more straightforward.  I took screenshots of the first process just in case.  But before I finish documenting I thought I'd check with the group.  Does anyone have a better way to get at this file?  Maybe one that doesn't involve shutting down the host?
The only "shortcut" I've found so far takes advantage of a directory traversal bug which has been patched for some time...http://www.securityfocus.com/archive/1/520414
Thanks,Pete 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140202/7d1d74ac/attachment.html>