VxWorks R5_0_31 Data Disclosure

`*Known Affected Versions: *R5_0_31 (Created March 1st, 2007)  
*Date Discovered: *November 13, 2012  
  
Obviously not anything new to get sensitive data out via the VxWorks remote  
debugger, but this seemed to warrant specific attention since it did allow  
for the disclosure of call logs and full access to all voice mails stored  
on the system. Vendor has stopped responding. There was some data around  
this system and the phones themselves for extracting configuration data  
released a while back but I have not found anything specific around the PBX  
switch out there.  
  
*Synopsis: *The 3Com NBX V3000 phone system firmware was found to have the  
VxWorks remote debug service documented at  
http://www.kb.cert.org/vuls/id/362332 enabled. This allows for remotely  
extracting the contents of device memory over the network. When parsing  
the contents of memory, it was discovered that the call logs for the system  
as well as URLs which linked to WAV files containing voice mails that were  
accessible with no authentication were stored within the extracted  
content.  
  
*Reported to Vendor: *December 23rd, 2012  
*Vendor Acknowledgement: *December 24th, 2012  
*Last Vendor Response: *January 16th, 2013 (No Resolution)  
  
Vulnerability Reproduction:  
  
1. Use the Metasploit VxWorks WDB Agent module (*  
auxiliary/admin/vxworks/wdbrpc_memory_dump)* to extract the contents of  
memory targeted at the IP of the PBX.  
  
2. Extract the strings from the dump file generated by Metasploit and grep  
for HTTP links containing port 8889 to obtain voice mail URLs, also grep  
for names/numbers etc. for sensitive data.  
`