AP: Built in privileged "support" account
--------------------------------------------
The APs provide a built in system account called "support". When connected to
the restricted shell of the AP via SSH, issuing the command "support", triggers
a password request:
00:0b:86:XX:XX:XX# support
Password:
A quick internet search clarified, that this password is meant for use by Aruba
engineers only:
http://community.arubanetworks.com/...less-Access/OS5-0-support-password/td-p/26760
Further research on that functionality lead to the conclusion that this
functionality provides root-privileged shell access to the underlying operating
system of the AP, given the correct password is entered.
-----------------------------------------------
AP: Static password hash for support account
-----------------------------------------------
The password hash for the "support" account mentioned in vulnerability #6 is
stored in plaintext on the AP.
$ strings /aruba/bin/cli | grep ^bc5
bc54907601c92efc0875233e121fd3f1cebb8b95e2e3c44c14
Random sampling of different versions of Firmware images available on Aruba's
website confirmed that the password hash is identical for all versions. The
password check validating a given "support" password is based on the following
algorithm:
SALT + sha1(SALT + PASSWORD)
Where SALT equals the first 5 bytes of the password hash in binary
representation. It is possible to run a brute-force attack on this hash format
using JtR with the following input format:
support:$dynamic_25$c92efc0875233e121fd3f1cebb8b95e2e3c44c14$HEX$bc54907601