[cisco-voip] UCOS Password Recovery (not reset)

Pete Brown jpb at chykn.com
Mon Feb 3 19:40:47 EST 2014 

Here is the application that decrypts the passwords in platformConfig.xml.  It's been tested with 6.x, 8.x and 9.x.  Should work with 7.x as well.  Please let me know if you run into any problems or have feedback.
http://www.adhdtech.com/UCOS%20Password%20Decrypter.exe
Thanks,Pete
From: jpb at chykn.com
To: cisco-voip at puck.nether.net
Date: Sun, 2 Feb 2014 19:29:39 -0600
Subject: [cisco-voip] UCOS Password Recovery (not reset)




I've received a few messages off list regarding the possibility of recovering (as opposed to just resetting) a cluster security password from a non-rooted, patched UCOS 6.x-9.x host.  Short answer; yes, it's possible, contrary to the official responses...https://supportforums.cisco.com/thread/2164756
Disclaimer:What's discussed below is best done in a lab environment and should never be done in production.  It may render your box unsupportable, make your hair fall out or give you the urge to bark like a dog in meetings.
That being said, I've actually had to do this on a production host due to the fact that we inherited the environment but not all the passwords.  The choice was either take one host down for 20 minutes to copy a file or take a longer outage on every host in the cluster as required by the official Cisco password reset process.  Plus the official process is a change, so tack on a week to get approval from change management.http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_6_1/cucos/iptpch2.html
Of course it's well known that the platformConfig.xml file contains the encrypted passwords, but so far I haven't found any existing utilities to perform the decryption.  Ended up writing one in C# this weekend; could use some volunteers to test it if anyone is interested.  You point it toward your plaformConfig.xml file and it will output the following...
Localhost Admin Name & PasswordSFTP PasswordCluster Security PasswordApplication User Name & Password
Needless to say, the hard part is extracting this file from a non-rooted, patched UCOS host...
/usr/local/platform/conf/platformConfig.xml
I've only found two surefire ways to do it without rooting, but both require shutting down the host and booting to a live Linux ISO.  If you're using a VM, create a snapshot between shutting down and booting to the ISO.  If you accidentally change/delete something or the UCOS volumes are not cleanly dismounted (you hit the power), you may very well hose the box.
Local Copy to TFTP MethodCreate a scratch XML file on your workstation.  Can't be zero-length, so enter some junk text.Upload scratch XML file to the host's TFTP directory using the GUI.Reboot the host to a live Linux ISO.Mount the '/' and '/common' volumes.Use 'cat' to copy the contents of platformConfig.xml to the scratch file in the TFTP directory.  A straight copy would seem easier, but will not work due to the security settings of the newly created file.Reboot the host, let it boot to UCOS as usual.Use a TFTP client to download the scratch XML file from the host's TFTP server.
Remote Copy MethodReboot the host to a live Linux ISO.Configure networking.Mount the '/' and '/common' volumes.Use your favorite remote copy method (TFTP, FTP, SCP) to copy platformConfig.xml to a remote host.Reboot the host, let it boot to UCOS as usual.
The first option requires no knowledge of Linux; the second is more straightforward.  I took screenshots of the first process just in case.  But before I finish documenting I thought I'd check with the group.  Does anyone have a better way to get at this file?  Maybe one that doesn't involve shutting down the host?
The only "shortcut" I've found so far takes advantage of a directory traversal bug which has been patched for some time...http://www.securityfocus.com/archive/1/520414
Thanks,Pete 		 	   		  

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140203/1367aa7c/attachment.html>

More information about the cisco-voip mailing list