<div dir="ltr">It's interesting, and scary, if you are on a system's network, wouldn't be hard to get people's passwords.<div><br></div><div>I did confirm that I have access to about 20 different AD passwords from just 1 cluster.</div><div><br></div><div>Thanks for the info Anthony</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <<a href="mailto:avholloway%2Bcisco-voip@gmail.com">avholloway+cisco-voip@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I don't know about any of those additional files, and the FileList one was something I was looking for.<div dir="auto"><br></div><div dir="auto">Today's goal will be to write a Python script to: grab that file, then grab all phone configs, then auth against CUCM, and finally, store the credentials that worked.</div><div dir="auto"><br></div><div dir="auto">It might even be worth looking at the credentials which don't work, because it might tell you something about password habits, allowing you to predict future passwords. Eg Summer2010</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mar 15, 2018 2:34 AM, "Stephen Welsh" <<a href="mailto:stephen.welsh@unifiedfx.com" target="_blank">stephen.welsh@unifiedfx.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
While we are on the subject here are some other non encrypted TFTP server items:
<div><br>
</div>
<div>
<ul style="box-sizing:border-box;padding-left:2em;margin-top:0px;margin-bottom:16px">
<li style="box-sizing:border-box"><span style="background-color:rgba(255,255,255,0)">ConfigFileCacheList.txt</span></li><li style="box-sizing:border-box;margin-top:0.25em"><span style="background-color:rgba(255,255,255,0)">FileList.txt</span></li><li style="box-sizing:border-box;margin-top:0.25em"><span style="background-color:rgba(255,255,255,0)">BinFileCacheList.txt</span></li><li style="box-sizing:border-box;margin-top:0.25em"><span style="background-color:rgba(255,255,255,0)">PerfMon.txt</span></li><li style="box-sizing:border-box;margin-top:0.25em"><span style="background-color:rgba(255,255,255,0)">ParamList.txt</span></li><li style="box-sizing:border-box;margin-top:0.25em"><span style="background-color:rgba(255,255,255,0)">lddefault.cfg</span></li></ul>
<div>So you could use the following to get a list of all the device MAC addresses anonymously from the TFTP server:</div>
<div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>
<div><span style="background-color:rgba(255,255,255,0)"><a href="http://tftpserver:6970/FileList.txt" target="_blank">http://TFTPServer:6970/FileList.txt</a></span></div>
<div><br>
</div>
<div>So with the scenario you describe and just the TFTP Server IP Address you could scan all the device configs on the cluster to see if even just one of them has the admin credentials saved accidentally on the SSH User/Password field.</div>
<div><br>
</div>
<div>I suspect this may apply to most clusters....</div>
<div><br>
</div>
<div>Kind Regards</div>
<div><br>
</div>
<div>Stephen Welsh</div>
<div>CTO</div>
<div>UnifiedFX</div>
<div><br>
On 15 Mar 2018, at 07:25, Stephen Welsh <<a href="mailto:stephen.welsh@unifiedfx.com" target="_blank">stephen.welsh@unifiedfx.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>Hi Anthony,
<div><br>
</div>
<div>Yes, the SSH credentials saved on the device page are available in clear text in the phone XML config, it’s not just your environment unfortunately. Also I believe the same thing applies for the Telepresence endpoints (anything running CE including the
DX) for the web page admin credentials that are saved in the vendor config section.</div>
<div><br>
</div>
<div>We noticed this a little while ago but given most people did not populate it did not consider as a serious issue, however the auto-population of credentials is not something we considered. So yes this does look like a serious problem when you combine those
two together.</div>
<div><br>
</div>
<div>Kind Regards</div>
<div><br>
</div>
<div>Stephen Welsh</div>
<div>CTO</div>
<div>UnifiedFX<br>
<div><br>
On 15 Mar 2018, at 01:50, Anthony Holloway <<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.</span>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save
your credentials for clear text view by unauthenticated users.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Is anyone already aware of this?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You could you run the following command on your clusters:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">E.g., </div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">output might be:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><font color="#cc0000">SEP6899CD84B710</font> aholloway</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">So then you would navigate your browser to:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>http://<tftpserver>:6970/<font color="#cc0000">SEP6899CD84B710</font>.cnf.xml</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You then might have to view the HTML source of the page, because the browser might mess up the output.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">You're then looking for the following two fields, your results will vary:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><sshUserId>aholloway</sshUserId></b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b><sshPassword>MyP@ssw0rd</sshPassword></b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Then, since we now know it's happening, get list of how many different usernames you have with this command:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><font face="monospace"><b>run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid</b></font></div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">This could also be happening with Energy Wise settings, albeit not on the same web pages.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I'm curious about two things:</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">1) Is it even happening outside of my limited testing scenarios?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">2) How many different usernames and passwords were there?</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">If the answers are yes, and 1 or more, then this is an issue Cisco should address.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on
these fields "autocomplete = false" and unfortunately, most browser ignore that directive.</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto"><br>
</div>
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance
of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.</div>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a></span><br>
<span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br>
</div>
</blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a></span><br>
<span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br>
</div>
</blockquote>
</div>
</div>
</blockquote></div></div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div>