Default credentials are considered to be the most common, low hanging fruit, in the field of information security that is frequently exploited by the hackers as they are easily identifiable and exploitable. In this blog we will go through the default credentials for Avaya IP office, which can be used by an attacker to gain access and control the features such as call management, logging, and conferencing. Usually, Avaya IP office administration tools can be accessed locally, but depending upon the configuration it can be also accessed over internet via the web manager URL.
Avaya IP office is commonly used by enterprises for unified communication, which means IM, audio conferencing; video conferencing, desktop sharing, and VOIP can be performed using a single device.
Avaya IP office comes with following system administration tools. Each tool can perform a defined set of functions:
- IP Office Manager
- IP Office Web Manager
- IP Office system Status
- Phone Based Admin
- System Monitor
Just like any other device, Avaya IP office also comes with default credentials, which generally administrators are not aware of; however one can find these default credentials for any version by looking at the help section of the IP Office Manager System administration tool.
In the current blog, we will analyze default credentials for Avaya IP 500 V2 18.104.22.168 build 829. If not all, most of the default credentials should work for other versions of Avaya IP office too.
User Accounts/How to Access:
|User Account||Access URL/Tool|
|Service user accounts||https://<IP Address>:8443orhttps://<IPAddress>:8443/webmanagement/WebManagement.htmlorInstall the thick client application of system administration tools mentioned above.|
|Security settings user account||Install the thick client application of system administration tools mentioned above.|
|System settings user account||Install the thick client application of system administration tools mentioned above.|
a) Service User Accounts:
Typically following default credentials were observed for the service user accounts:
Note that out of this Administrator, Operator and BusinessPartner user accounts have rights to manage other users and hence are high preferred targets for the attackers.
b) Security Settings Accounts:
Following default credentials was observed for the security settings account:
c) System Accounts:
The default system accounts do not have any usernames. They just have following default passwords:
System Password: password
VM Pro Password: blank
Monitor Password: password
Note: All the credentials are case sensitive.
How to Exploit:
The easiest way to hack into an Avaya IP office is via web URL (specified above) as it does not require any system administration tool application installation. Normally, the Administrator password is changed, but other user accounts may run with the default credentials. Using these default credentials an attacker can easily gain control of the IP office. Operator or BusinessPartner users can manage other users and also have the capability to grant themselves all the privileges and become equivalent to an Administrator. Operator and BusinessPartner users can even change the password of an Administrator user.
For more information please refer help section of your IP Office Manager software to get complete list of the default credentials applicable to your version of the product, and it is recommended to change those passwords with a strong one following the below password policy:
- At least eight characters in length
- Contains mixed cased alphabets and numeric characters
- Contains special character(s) and
- Are not the same or closely related to their username.
This blog post was written by Piyush Mittal.