Hidden Low Hanging Avaya IP Office Default Credentials

Default credentials are considered to be the most common, low hanging fruit, in the field of information security that is frequently exploited by the hackers as they are easily identifiable and exploitable. In this blog we will go through the default credentials for Avaya IP office, which can be used by an attacker to gain access and control the features such as call management, logging, and conferencing. Usually, Avaya IP office administration tools can be accessed locally, but depending upon the configuration it can be also accessed over internet via the web manager URL.

Introduction
Avaya IP office is commonly used by enterprises for unified communication, which means IM, audio conferencing; video conferencing, desktop sharing, and VOIP can be performed using a single device.

Avaya IP office comes with following system administration tools. Each tool can perform a defined set of functions:

  • IP Office Manager
  • IP Office Web Manager
  • IP Office system Status
  • Phone Based Admin
  • System Monitor

Just like any other device, Avaya IP office also comes with default credentials, which generally administrators are not aware of; however one can find these default credentials for any version by looking at the help section of the IP Office Manager System administration tool.

In the current blog, we will analyze default credentials for Avaya IP 500 V2 9.0.0.0 build 829. If not all, most of the default credentials should work for other versions of Avaya IP office too.

User Accounts/How to Access:

User Account Access URL/Tool
Service user accounts https://<IP Address>:8443orhttps://<IPAddress>:8443/webmanagement/WebManagement.htmlorInstall the thick client application of system administration tools mentioned above.
Security settings user account Install the thick client application of system administration tools mentioned above.
System settings user account Install the thick client application of system administration tools mentioned above.

 

a) Service User Accounts:
Typically following default credentials were observed for the service user accounts:

Username Password
Administrator Administrator
Maintainer Maintainer
SMGRB5800Admin SMGRB5800Admin
Operator Operator
SCN_Admin [Blank]
BusinessPartner BusinessPartner
EnhTcpaService EnhTcpaPwd1
Manager Manager
IPDECTService [Blank]

 

Note that out of this Administrator, Operator and BusinessPartner user accounts have rights to manage other users and hence are high preferred targets for the attackers.

b) Security Settings Accounts:

Following default credentials was observed for the security settings account:

  • security/securitypwd

c) System Accounts:

The default system accounts do not have any usernames. They just have following default passwords:

System Password: password

VM Pro Password: blank

Monitor Password: password

Note: All the credentials are case sensitive.

How to Exploit:
The easiest way to hack into an Avaya IP office is via web URL (specified above) as it does not require any system administration tool application installation. Normally, the Administrator password is changed, but other user accounts may run with the default credentials. Using these default credentials an attacker can easily gain control of the IP office. Operator or BusinessPartner users can manage other users and also have the capability to grant themselves all the privileges and become equivalent to an Administrator. Operator and BusinessPartner users can even change the password of an Administrator user.

Recommendations

For more information please refer help section of your IP Office Manager software to get complete list of the default credentials applicable to your version of the product, and it is recommended to change those passwords with a strong one following the below password policy:

  • At least eight characters in length
  • Contains mixed cased alphabets and numeric characters
  • Contains special character(s) and
  • Are not the same or closely related to their username.

This blog post was written by Piyush Mittal.

Leave a Comment

three + fifteen =