[cisco-voip] CUCM and Auto Fill Credentials

Charles Goldsmith wokka at justfamily.org
Thu Mar 15 08:53:22 EDT 2018


It's interesting, and scary, if you are on a system's network, wouldn't be
hard to get people's passwords.

I did confirm that I have access to about 20 different AD passwords from
just 1 cluster.

Thanks for the info Anthony

On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> I don't know about any of those additional files, and the FileList one was
> something I was looking for.
>
> Today's goal will be to write a Python script to: grab that file, then
> grab all phone configs, then auth against CUCM, and finally, store the
> credentials that worked.
>
> It might even be worth looking at the credentials which don't work,
> because it might tell you something about password habits, allowing you to
> predict future passwords. Eg Summer2010
>
> On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh at unifiedfx.com>
> wrote:
>
>> While we are on the subject here are some other non encrypted TFTP server
>> items:
>>
>>
>>    - ConfigFileCacheList.txt
>>    - FileList.txt
>>    - BinFileCacheList.txt
>>    - PerfMon.txt
>>    - ParamList.txt
>>    - lddefault.cfg
>>
>> So you could use the following to get a list of all the device MAC
>> addresses anonymously from the TFTP server:
>>
>> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>>
>> So with the scenario you describe and just the TFTP Server IP Address you
>> could scan all the device configs on the cluster to see if even just one of
>> them has the admin credentials saved accidentally on the SSH User/Password
>> field.
>>
>> I suspect this may apply to most clusters....
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh at unifiedfx.com>
>> wrote:
>>
>> Hi Anthony,
>>
>> Yes, the SSH credentials saved on the device page are available in clear
>> text in the phone XML config, it’s not just your environment unfortunately.
>> Also I believe the same thing applies for the Telepresence endpoints
>> (anything running CE including the DX) for the web page admin credentials
>> that are saved in the vendor config section.
>>
>> We noticed this a little while ago but given most people did not populate
>> it did not consider as a serious issue, however the auto-population of
>> credentials is not something we considered. So yes this does look like a
>> serious problem when you combine those two together.
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 01:50, Anthony Holloway <
>> avholloway+cisco-voip at gmail.com> wrote:
>>
>> I'm working on something, and was wondering if you could check something
>> for me, so I can better understand why and how often this is happening.
>>
>> So, I was looking at phone config file today, and I noticed the ccmadmin
>> username and password was in the XML, and in plain text nonetheless.
>>
>> I found out that the browser, when told to remember your credentials,
>> will treat the SSH username/password fields as login fields whenever you
>> modify a phone, and you might be unknowingly save your credentials for
>> clear text view by unauthenticated users.
>>
>> Is anyone already aware of this?
>>
>> You could you run the following command on your clusters:
>>
>> *run sql select name, sshuserid from device where sshuserid is not null
>> and sshuserid <> ""*
>>
>> Then in the output, if there are any hits, look at the config XML file
>> for the phone and see if the passwords are there.
>>
>> E.g.,
>>
>> output might be:
>>
>> *SEP6899CD84B710 aholloway*
>>
>> So then you would navigate your browser to:
>>
>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>
>> You then might have to view the HTML source of the page, because the
>> browser might mess up the output.
>>
>> You're then looking for the following two fields, your results will vary:
>>
>> *<sshUserId>aholloway</sshUserId>*
>> *<sshPassword>MyP at ssw0rd</sshPassword>*
>>
>> Then, since we now know it's happening, get list of how many different
>> usernames you have with this command:
>>
>> *run sql select distinct sshuserid from device where sshuserid is not
>> null and sshuserid <> "" order by sshuserid*
>>
>> This could also be happening with Energy Wise settings, albeit not on the
>> same web pages.
>>
>> I'm curious about two things:
>>
>> 1) Is it even happening outside of my limited testing scenarios?
>> 2) How many different usernames and passwords were there?
>>
>> If the answers are yes, and 1 or more, then this is an issue Cisco should
>> address.
>>
>> The reason it's happening is because the way in which browsers identify
>> login forms, is different from the way in which web developers understand
>> it to work.  Cisco uses the element attribute on these fields "autocomplete
>> = false" and unfortunately, most browser ignore that directive.
>>
>> I have noticed that this does not happen, if you have more than 1 saved
>> password for the same site, rather it will only happen if you use the same
>> login for the entire site.  Our highest chance of seeing this happen are
>> for operations teams where they login with their own accounts, and do not
>> use DRS or OS Admin.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180315/4e9ba485/attachment.html>


More information about the cisco-voip mailing list