Cisco CUCM Directory Traversal / Reversible Obfuscation

Type packetstorm
Reporter FX
Modified 2011-11-08T00:00:00


Recurity Labs GmbH  
Date: 08.11.2011  
Vendor: Cisco Systems  
Product: CUCM Environment  
Cisco Unified Communications Manager (CallManager)  
Cisco IP Phone CP-7975G  
Vulnerability: Directory Traversal  
Reversible Obfuscation Algorithm  
SCCP service security issues  
CTFTP Information Leaks  
Voice VLAN Separation Activated Late  
Affected Releases: 7.0, 8.0(2)  
Severity: HIGH  
Vendor communication:  
25.05.2010 Initial notification to PSIRT  
25.05.2010 PSIRT acknowledges the report  
25.05.2010 Various acknowledgements from Cisco, some issues are  
apparently already know.  
28.05.2010 PSIRT still works on evaluations.  
17.06.2010 PSIRT updates on the issues reported  
03.02.2011 Requesting update from PSIRT  
04.02.2011 Response that the case handler has left PSIRT  
28.03.2011 A personal meeting during BlackHat Europe had  
effects, new case handler reports the directory  
traversal issue being fixed.  
11.10.2011 Checking back with PSIRT and providing draft  
11.10.2011 Latest status updates on two issues and  
agreement on 2011-10-26 coordinated release  
26.10.2011 Cisco releases cisco-sa-20111026-cucm  
08.11.2011 Release  
Product is Unified Communications solutions from Cisco Systems. From  
the Web Site:  
"Cisco Unified Communications Manager is an enterprise-class IP  
communications processing system for up to 40,000 users, extensible to  
80,000 users by way of a megacluster."  
There is a remotely exploitable directory traversal vulnerability in  
CUCM that allows attackers to read internal files available to the  
Tomcat user. By design, this user has access to various sensitive  
files. Therefore this vulnerability can be abused to lead to a full  
system compromise of the CUCM system.  
The vulnerability can be triggered before authentication.  
Other vulnerabilities and issues are documented within this advisory  
as well.  
Directory Traversal:  
The directory traversal vulnerability can be triggered from the  
following location:  
Reversible Obfuscation Algorithm:  
The file platformConfig.xml is used to store various configuration  
parameters which are used by the CUCM system. This includes network  
configuration as well as "encrypted" passwords. The passwords are  
encrypted using keys that are hardcoded within the system.  
SCCP service security issues  
When one sends a RegisterMessage SCCP message with a malformed  
"DeviceName" containing a single quote, it appears that one can inject  
SQL commands. Additionally, while handling the malformed "DeviceName",  
when certain characters are processed by the ODBC driver, the driver  
crashes on a memcpy().  
CTFTP Information Leaks:  
The CTFTP service is a custom HTTP server that listens on port 6970.  
The following hardcoded paths can be used to disclose information  
about the CUCM configuration:  
- TFTP file list /ConfigFileCacheList.txt including phone  
configuration filename (which may contain passwords)  
- Other interesting locations /BinFileCacheList.txt, /FileList.txt,  
/PerfMon.txt, /ParamList.txt, /lddefault.cfg  
Voice VLAN Separation Activated Late:  
The Cisco phones have a port for connecting the PC that should not  
pass voice VLAN tagged packets. When the phone is properly configured  
it will only pass the correct packets to the PC port. It was however  
observed that during boot, an attacker has a time window of roughly  
10 seconds where they can make receive and send voice VLAN tagged  
packets. This means that during that time, an attacker can gain access  
to the Voice VLAN without making any physical network changes (i.e. No  
need to disconnect the phone).  
Note that this has been tested on CP-7975G with an SCCP firmware  
Typical example is to read /etc/passwd:  
In this case we can read more useful files such as platformConfig.xml  
which contains obfuscated administrative passwords:  
Attackers can then login to the administrative Web interface by using  
the decoded credentials from this file.  
To decode the credentials of "ApplUserDbPwCrypt" from  
1. Search for "ParamValue" xml tag where the "ParamDefaultValue" is  
2. The value of "ParamValue" can then be decrypted by making use of  
AES128-CBC as follows:  
a) The first 16 bytes are used as IV  
b) The second 16 bytes are the encrypted password  
c) Initialize the cipher using the IV and key  
d) Decrypt the encrypted password  
Steps to reproduce the VLAN separation issue:  
1. Start sniffing using Wireshark on the computer connected to the PC  
2. Apply the Wireshark display filter "VLAN" ; this will allow us to  
only see VLAN tagged packets  
3. Soft restart the Cisco phone by pressing on the settings button  
and then **#**  
4. Wireshark should start displaying broadcast packets from the voice  
VLAN for a 10 second period  
Cisco Bug ID CSCth09343, see  
Cisco Bug ID CSCsy45946, status unknown.  
Cisco Bug ID CSCth06428, fixed.  
According to Cisco, the TFTP hardcoded file names are by design.  
According to Cisco, the hard phones work as designed.  
Found by Sandro Gauci (EnableSecurity) and Felix Lindner (Recurity  
Greets to Gaus and Cisco PSIRT.  
The information provided is released "as is" without warranty  
of any kind. The publisher disclaims all warranties, either express or  
implied, including all warranties of merchantability. No responsibility  
is taken for the correctness of this information.  
In no event shall the publisher be liable for any damages whatsoever  
including direct, indirect, incidental, consequential, loss of business  
profits or special damages, even if the publisher has been advised of  
the possibility of such damages.  
The contents of this advisory are copyright (c) 2011 Recurity Labs GmbH  
and may be distributed freely provided that no fee is charged for this  
distribution and proper credit is given.