[cisco-voip] CUCM and Auto Fill Credentials

Charles Goldsmith wokka at justfamily.org
Thu Mar 15 18:19:55 EDT 2018 

Interestingly, none of these files come up for me on a 11.5.1.13902
system.  I can pull an XML file as Anthony showed previously, but not these
files.  On 9.1.2 and 11.0.1.2000 systems, I can view them just fine.  Did
something change in 11.5.1 or so to now allow these files?

I don't receive an error, just a blank page, and source is nil.

On Thu, Mar 15, 2018 at 2:35 AM Stephen Welsh <stephen.welsh at unifiedfx.com>
wrote:

> While we are on the subject here are some other non encrypted TFTP server
> items:
>
>
>    - ConfigFileCacheList.txt
>    - FileList.txt
>    - BinFileCacheList.txt
>    - PerfMon.txt
>    - ParamList.txt
>    - lddefault.cfg
>
> So you could use the following to get a list of all the device MAC
> addresses anonymously from the TFTP server:
>
> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>
> So with the scenario you describe and just the TFTP Server IP Address you
> could scan all the device configs on the cluster to see if even just one of
> them has the admin credentials saved accidentally on the SSH User/Password
> field.
>
> I suspect this may apply to most clusters....
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh at unifiedfx.com>
> wrote:
>
> Hi Anthony,
>
> Yes, the SSH credentials saved on the device page are available in clear
> text in the phone XML config, it’s not just your environment unfortunately.
> Also I believe the same thing applies for the Telepresence endpoints
> (anything running CE including the DX) for the web page admin credentials
> that are saved in the vendor config section.
>
> We noticed this a little while ago but given most people did not populate
> it did not consider as a serious issue, however the auto-population of
> credentials is not something we considered. So yes this does look like a
> serious problem when you combine those two together.
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 01:50, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP at ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work.  Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site.  Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180315/f2e0cfa4/attachment.html>

More information about the cisco-voip mailing list