2010-01-11 19:36:18

By Tim Brown

On a job recently, I was asked to look at a Sarian GSM router, specifically the configuration files for the device. This was interesting as it had a number of obfuscated strings which were clearly credentials but for which I didn't know the plain text values. A quick Google allowed me to pull up a document from Juniper on how to configure their devices to establish an IPsec tunnel with one. You'll notice that the document had an example configuration file for the Sarian which gave the default credentials in both plain and obfuscated form. Returning to the configuration I had been given, it was clear that my device had different credentials which left me with a bit of a problem. Having noticed that the obfuscated and plain text strings were of the same length, which is indicative of a stream cipher, I decided to check whether the algorithm used by Sarian was xor based or whether it was in fact using a more secure stream cipher. The below perl code shows how I did this:

print "password> ";
@obfuscated = (0x28, 0x3e, 0x65, 0x49, 0x52, 0x43, 0x55, 0x58);
@password = (0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64);
for ($counter = 0; $counter ;lt; 8; $counter ++) {
        printf("%02x ", ($obfuscated[$counter] ^ $password[$counter]));
print "\n";
print "test> ";
@obfuscated = (0x2c, 0x3a, 0x65, 0x4e);
@test = (0x74, 0x65, 0x73, 0x74);
for ($counter = 0; $counter < 4; $counter ++) {
        printf("%02x ", ($obfuscated[$counter] ^ $test[$counter]));
print "\n";
print "\n";

Running this gave the following output, disclosing the key used to encrypt and decrypt the credentials:

$ ./boom.pl
password> 58 5f 16 3a 25 2c 27 3c
test> 58 5f 16 3a

As you can see, the output is the same for both sets of default credentials and thus 0x3e3e7f56 ^ 0x585f163a = "fail".

Mood: Tired

Music: int(rnd() * 40)

You are unknown, comment

Pontoon failed: fatal error