Sonexis ConferenceManager Information Disclosure

`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Netragard Security Advisory - Sonexis ConferenceManager - 20120201  
  
[POSTING NOTICE]  
  
If you intend to post this advisory on your web page please create a  
link back  
to the original Netragard advisory as the contents of the advisory may  
change.  
  
For more information about Netragard visit:  
  
http://www.netragard.com  
  
[Advisory Information]  
  
Contact : [email protected]  
Advisory ID : NETRAGARD-20120201  
Researcher : Titon  
Product Name : Sonexis ConferenceManager  
Product Version : All Versions up to 10.x  
Vendor Name:Sonexis Technology, Inc.  
Type of Vulnerability : Authorization Failure, Credential Leak  
Impact : Network Compromise / Critical  
Date Discovered : 01/25/2012  
Vendor Notified : 01/31/2012  
  
[Product Description]  
  
"ConferenceManager plugs right into your current networks, leveraging your  
existing investments -- no need for costly upgrades or new infrastructure.  
And, because you own your equipment, you can scale the number and size  
of your conferences without scaling your costs. Say goodbye to those  
pay-as-you go subscription costs and say hello to savings as high as 80%"  
  
Taken From: http://www.sonexis.com/products/index.asp  
  
[Technical Summary]  
  
| Vulnerability 1 |  
  
The Sonexis ConferenceManager publishes credentials (often domain  
credentials) to a web page that is accessible without authentication. In  
many  
cases these credentials can be used to access otherwise sensitive and  
restricted resources that include but are not limited to sharepoint, vpn  
services, etc.  
  
| Vulnerability 2 |  
  
The Sonexis ConferenceManager database can be downloaded, modified,  
and uploaded again by anyone. This can result in the theft of audio  
recordings  
and potentially sensitive data as well as a compromise of the system.  
  
[Technical Details]  
  
The Sonexis ConferenceManager fails to properly check and enforce  
authorization  
boundaries. Any user that can access the Sonexis ConferenceManager's web  
interface can access the "settings.asp" page without restriction or  
authentication.  
This page provides an attacker with two opportunities which are:  
  
| Vulnerability 1 |  
  
[1] The settings.asp page discloses sensitive credentials. These  
credentials vary between installs but seem to fall into three  
categories which are:  
  
- - Domain Credentials (with or without admin privileges)  
- - System Credentials (local user)  
- - Not Yet Set (page not yet used?)  
  
Netragard discovered this vulnerability during a customer  
engagement. Netragard was able to use this vulnerability to  
compromise the customers entire IT infrastructure including  
the Domain Controller.  
  
[2] The settings.asp page allows anyone to download the entire  
Sonexis ConferenceManager SQL database without authentication.  
Once downloaded the attacker can modify the database and may  
be able to upload the modified database back to the Sonexis  
ConferenceManager.  
  
| Vulnerability 2 |  
  
[1] The download.asp page is accessible without authentication.  
This page allows anyone to download the contents of the  
Sonexis ConferenceManager database. The contents (shown in the  
exploitation section) include audio recordings, configuration  
settings, etc. The original file is a zip file that when  
decompressed produces multiple SQL files.  
  
[2] The upload.asp page is accessible without authentication.  
This page allows anyone to upload a backed up version of the  
Sonexis ConfrenceManager database to the system. This can be  
used to compromise the system if an attacker injects a backdoor  
into the SQL database. Other attacks may be possible with the  
upload feature.  
  
NOTE: An attacker can use search engines like Google, Yahoo, Bing,  
etc. to identify vulnerable Sonexis ConfrenceManager systems. To  
demonstrate this Netragard created a Proof of Concept Google  
scanner and was able to identify the following ConferenceManager  
versions, each of which is vulnerable. The scanner was limited  
to a 50 identifications.  
  
Number Identified Version Vulnerable  
- ----------------- ------- ----------  
2 10.0.40 Yes  
2 6.1.39 Yes  
1 8.0.15 Yes  
1 9.1.18 Yes  
5 9.2.11 Yes  
26 9.3.14 Yes  
  
[Proof Of Concept]  
  
Exploiting Vulnerability 1  
  
No exploit required. Simply open your favorite web browser and  
visit your Sonexis ConferenceManager web interface. Then append  
"/admin/backup/settings.asp" to the URI as shown below.  
  
http://<YOUR SONEXIS URL>/admin/backup/settings.asp  
  
To extract credentials view the source and search for the  
following text.  
  
INPUT TYPE="text" NAME="uid" value="XXXXX" <-- Username  
INPUT TYPE="PASSWORD" NAME="pwd" value="XXXXX" <-- Password  
  
|Exploiting Vulnerability 2, Download|  
  
No exploit or authentication is required to download or upload  
the Sonexis ConferenceManager database. To download the db  
you must first install samba. If you are using ubuntu this can  
be done with a simple "apt-get install samba". Then configure  
youre "smb.conf" file in the following way:  
  
(file is located here: "/etc/samba/smb.conf")  
  
[tmp]  
comment = tmp  
path = /tmp/smb  
browseable = yes  
read only = no  
guest ok = yes  
  
Once samba is configured the Sonexis ConfrenceManager system  
will allow you to download the database. To begin the download  
visit the following URL: (No authentication is required)  
  
http://<YOUR SONEXIS URL>/admin/backup/download.asp  
  
By default the SonexisConfig.dat file is a zip file. You can  
unzip the contents of the file and you will find the following  
files after extraction:  
  
communities.dat  
database.bak  
recorded_audio.dat <-- Potential confidential information  
telephony.dat  
timezone.dat  
uploadinfo.dat  
  
Loading these files into a Microsoft SQL database allows you  
to read, listen to, or otherwise view the contents.  
  
|Exploiting Vulnerability 2, Upload|  
  
It is also possible to upload a (modified) SonexisConfig.dat file  
without authentication. To do so, simply visit the following URL:  
  
http://<YOUR SONEXIS URL>/admin/backup/upload.asp  
  
  
[Vendor Status and Chronology]  
  
01/25/2012 - Vulnerability discovered during customer engagement  
01/26/2012 - Vulnerability confirmed on 9.3.14, 10.0.40  
01/31/2012 - Vendor Contacted but no information provided  
02/01/2012 - Vendor Responded  
02/02/2012 - Netragard identifies Sonexis Customers  
02/02/2012 - Netragard Pre-releases advisory to Sonexis customers  
02/06/2012 - Vendor Receives Full Details & Creates Fix  
02/07/2012 - Vendor Notifies Customers  
02/13/2012 - Publication  
  
More information on this can be found on Netragard's blog at:  
  
http://pentest.snosoft.com/2012/02/13/netragard-uncovers-0-days-in-sonexis-conferencemanager/  
  
[Solution]  
  
Apply the vendor supplied patch. Contact Sonexis for more information.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)  
Comment: GPGTools - http://gpgtools.org  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAk85u9kACgkQQwbn1P9Iaa2nmgCfTV4qPVTan35fgWEoiM42DxQf  
YasAn1veALCuf6nVHzxPBsLM/nhDJ3d4  
=Dg+E  
-----END PGP SIGNATURE-----  
`