Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NICE Recording eXpress 6.x Root Backdoor / XSS / Bypass

🗓️ 30 May 2014 00:00:00Reported by Johannes GreilType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 87 Views

NICE Recording eXpress 6.x Root Backdoor and XS

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20140528-0 >  
=======================================================================  
title: Root Backdoor & Unauthenticated access to voice recordings  
product: NICE Recording eXpress voice recording solution  
(formerly called Cybertech eXpress, Cybertech Myracle  
maybe affected too)  
vulnerable version: 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.5.x  
fixed version: see section "Solution" and "Timeline" below  
impact: critical  
homepage: http://www.nice.com  
found: 2013-11-13  
by: Johannes Greil, Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor & product description:  
=============================  
"NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions  
that capture and analyze interactions and transactions, realize intent, and  
extract and leverage insights to deliver impact in real time."  
  
source: http://www.nice.com/company-overview  
  
  
"NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful  
interception (LI) solutions to support the fight against organized crime, drug  
trafficking and terrorist activities. NICE helps LEAs stay up-to-date with  
fast-paced technology developments. The solutions retrieve target location,  
relations and conversation content from any type of communication including  
fax, fixed and mobile telephony, and Internet applications, resulting in a  
multi-dimensional investigative picture. NICE solutions support the entire  
lawful interception cycle, from warrant initiation to court evidence  
presentation."  
  
source: http://www.nice.com/lea  
  
  
"NICE Recording eXpress is designed specifically for the audio recording needs  
of the small and medium sized Public Safety organisation. This advanced  
recording solution offers a comprehensive, advanced, easy-to-install and  
affordable platform built for the Public Safety environment and Command and  
Control operations delivering optimal recording functionality and quality  
management."  
  
Source:  
http://www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf  
  
  
Business recommendation:  
========================  
Attackers are able to completely compromise the voice recording / surveillance  
solution as they can gain access to the system and database level and listen to  
recorded calls without prior authentication.  
  
Furthermore, attackers would be able to use the voice recording server as a  
jumphost for further attacks of the internal voice VLAN, depending on the  
network setup.  
  
It is highly recommended by SEC Consult not to use this software until a  
thorough security review has been performed by security professionals and all  
identified issues have been resolved.  
  
It is assumed that further critical vulnerabilities exist.  
  
  
Vulnerability overview/description:  
===================================  
Summary:  
1) root backdoor account  
(REC-5180 SR1093984 - subtask REC-5424)  
  
2) Unauthenticated access to sensitive files & voice recordings  
(REC-5179 SR1089608 - subtask REC-5417)  
  
3) Low-privileged users can access other voice recordings & Insufficient  
authorization  
(REC-5179 SR1089608 - subtask REC-5418)  
  
4) Unauthenticated access to functionality  
(REC-5179 SR1089608 - subtask REC-5419)  
  
5) Insufficient authorization of admin functions  
(REC-5179 SR1089608 - subtask REC-5420)  
  
6) Multiple cross site scripting issues  
(REC-5181 SR1093986 - subtask REC-5421)  
  
7) Multiple unauthenticated SQL injection issues  
(REC-5180 SR1093984 - subtask REC-5423)  
  
8) Insecure cookie handling  
(REC-5181 SR1093986 - subtask REC-5422)  
  
9) Violation of least principle - services run as SYSTEM  
(not included in subtask)  
  
The strings in parenthesis of the vulnerability title are the official bug  
tracking number of NICE which is also referenced in their release notes.  
  
  
1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424)  
- --------------------------------------------------------------------------  
The MySQL database table "usr" contains a "root" user with USRKEY / user id 1  
with administrative access rights. This user account does NOT show up within  
the "user administration" menu when logged in as administrator user account in  
the web interface. Hence the password can't be changed there.  
  
As a side note: Password hashes are shown in the user administration menu for  
each user within HTML source code.  
  
  
2) Unauthenticated access to sensitive files & voice recordings (REC-5179  
SR1089608 - subtask REC-5417)  
- --------------------------------------------------------------------------  
For example, unauthenticated attackers are able to gain access to exported  
lists of user accounts that are being monitored/recorded. Attackers gain  
access to detailed information such as personal data like first/last name,  
email address and username/extension.  
  
Furthermore it is possible to gain _unauthenticated_ access to recorded voice  
calls of other users. Those calls will be stored in a temporary directory, if  
they have been accessed by a user via integrated media player in the web  
interface.  
  
  
3) Low-privileged users can access other voice recordings & Insufficient  
authorization (REC-5179 SR1089608 - subtask REC-5418)  
- --------------------------------------------------------------------------  
Low-privileged / standard user accounts can not only access their own voice  
recordings within the web interface but also other users' calls simply by  
iterating an ID of the integrated media player HTTP requests.  
  
  
4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask  
REC-5419)  
- --------------------------------------------------------------------------  
There exist multiple ASP script files that can be accessed without  
authentication. Attackers are e.g. able to gain access to parts of the  
configuration and even call internal methods that may delete or update data.  
  
  
5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask  
REC-5420)  
- --------------------------------------------------------------------------  
Certain ASP script files allow low-privileged user accounts access to  
administrative functions or functions where usually higher privileges are  
necessary.  
  
  
6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421)  
- --------------------------------------------------------------------------  
NICE eXpress suffers from multiple cross-site scripting (reflected and  
permanent) vulnerabilities, which allow an attacker to steal other users'  
sessions, to impersonate other users and to gain unauthorized access to the  
web interface and audio recordings.  
  
  
7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask  
REC-5423)  
- --------------------------------------------------------------------------  
The web application suffers from multiple SQL injection vulnerabilities that  
can be exploited without prior authentication!  
  
By exploiting this vulnerability, an attacker gains access to all records  
stored in the database with the privileges of the database user "recorder".  
  
As MySQL runs with highest OS-level access rights and the database user has FILE  
permission, it is possible to write files to the file system. This enables  
further attacks leading to OS-level compromise.  
  
Attackers are able to alter database contents and therefore potentially also  
alter checksums of recordings. Hence stored audio recordings could be replaced  
by altered ones!  
  
  
8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422)  
- --------------------------------------------------------------------------  
"HttpOnly cookie" is an extension of the cookie standard from Microsoft to  
avoid cookie stealing attacks. It prevents JavaScript from accessing cookies.  
For this reason user credentials cannot be stolen directly using XSS  
vulnerabilities, although other XSS attacks are still possible.  
  
  
9) Violation of least principle - services run as SYSTEM (not included in  
subtask)  
- --------------------------------------------------------------------------  
The system is not conform to the least privilege principle. An attacker could  
misuse services running with highest access rights "SYSTEM" on the Windows  
operating system and potentially escalate his rights on several components.  
  
  
  
Proof of concept:  
=================  
1) root backdoor account  
- --------------------------------------------------------------------------  
  
The password hash (salted - also see flaw #7) of the root user is:  
c00e6f05562f338a07eeac9a8ad1b7881d4a990b0b3ee2cf439ac0f55a818d2e  
  
The user does not show up within the admin web interface even when logged in  
as an administrator.  
  
  
2) Unauthenticated access to sensitive files & voice recordings  
- --------------------------------------------------------------------------  
The following URL shows a list of all accounts that are being monitored by  
NICE Recording eXpress and can be accessed by anyone without prior  
authentication. The list will be copied to the [removed] directory when a user  
with appropriate rights exports the user list within the web interface.  
  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
  
Furthermore, recorded calls made by other users will be stored in certain  
subdirectories of the [removed] directory. Those wave files will e.g. be copied to  
the directory, as soon as users listen to their recordings through the web  
interface, as the integrated media player will access those wave files via this  
URL.  
  
Attackers are able to access those calls without prior authentication!  
  
  
3) Low-privileged users can access other voice recordings  
- --------------------------------------------------------------------------  
  
If a user clicks on a recorded call (of his own) within the web application,  
the integrated media player will open it. One of following HTTP request will  
be sent that contains the parameter [removed]. The XML response will include the  
file location / path to the recorded wave file and the info if the user has  
appropriate access rights.  
  
The values of the [removed] parameter can easily be enumerated and the file  
location of other recordings will be shown. Those files can be accessed  
without authentication afterwards and without having to guess the file path  
location as this path is being provided.  
  
Request of own call recording:  
- ------------------------------  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
  
The XML elements [removed] and [removed] are interesting for the attacker.  
  
If an attacker enumerates the [removed] parameter he will receive those XML  
responses including file location/path of other users' voice recordings. The  
[removed] XML attribute value may change to [removed] with the additional error  
message "You're not authorized to play back this call" (element:  
[removed]). But this XML response is only validated by the media player  
and the attacker can still listen to the call via the [removed] path directly.  
  
The [removed] XML element shows the path of the recording in the temp directory  
under [removed] which can then be accessed without authentication!  
  
It is assumed that further flaws exist within the media player functionality,  
but it has not been tested further during this short crash test.  
  
  
4) Unauthenticated access to functionality  
- --------------------------------------------------------------------------  
  
As an example, the following URL can be called without authentication:  
  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
There exist many further scripts that can be accessed!  
  
  
5) Insufficient authorization of admin functions  
- --------------------------------------------------------------------------  
  
As an example, the following URLs can be accessed:  
  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
There exist many further scripts that can be accessed!  
  
  
6) Multiple cross site scripting issues  
- --------------------------------------------------------------------------  
  
The following URLs are examples for reflected XSS (list is not complete):  
http://$host/_ifr/iframe.picker.statchannels.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.channelgroups.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.extensions.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.licenseusergroups.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.licenseusers.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.lookup.asp?frame=%27%29};alert%280%29;{%28%27  
http://$host/_ifr/iframe.picker.marks.asp?frame=%27%29};alert%280%29;{%28%27  
  
Permanent XSS:  
http://$host/myaccount/mysettings.edit.validate.asp  
Parameter: USRLNM  
  
It is assumed that many further scripts are vulnerable to XSS!  
  
  
7) Multiple unauthenticated SQL injection issues  
- --------------------------------------------------------------------------  
  
The following sample request (no authentication needed!) will write the  
textfile "secconsult.txt" in the webroot including user account information  
such as password hashes.  
  
As a side note: All password hashes are hashed using SHA256 with a hard-coded  
salt value within a pre-compiled and shipped DLL of the web application.  
The following python script demonstrates the algorithm:  
  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
Further affected scripts (list not complete):  
[removed] PoC exploit has been removed as no patch exists for this flaw or NICE did  
not confirm that it was patched  
  
  
MySQL runs with highest SYSTEM access rights hence attackers have access to  
the file system, also see vulnerability 9).  
  
It is assumed that further SQL injection vulnerabilities exist!  
  
  
8) Insecure cookie handling  
- --------------------------------------------------------------------------  
  
The web application only sets the "secure" cookie flag, but not "HttpOnly".  
  
  
  
9) Violation of least principle - services run as SYSTEM  
- --------------------------------------------------------------------------  
  
Nearly all CyberTech (NICE) services including MySQL run as local SYSTEM with  
highest privileges, such as [removed] and many more. SEC Consult did not analyse  
those services, some of them have network listeners and successful attacks may  
lead to system compromise.  
  
  
  
Vulnerable / tested versions:  
=============================  
  
The vulnerabilities have been verified to exist in NICE Recording eXpress  
version 6.3.5.  
According to the release notes published by the vendor all previous releases  
are affected too.  
  
  
Vendor contact timeline:  
========================  
2013-12-13: Contacted vendor through [email protected] and given direct contact  
(Tier 2 Customer Support Team Lead NICE EMEA),  
including support ticket of customer, requesting encryption keys,  
attaching responsible disclosure policy  
2013-12-18: Reply from vendor, no encryption keys  
2013-12-18: Sending unencrypted security advisory to NICE & responsible  
disclosure policy again  
2014-01-08: Asking for status update  
2014-01-09: Receiving estimated patch dates for identified issues:  
* REC-5179 SR1089608: will be fixed by release CT6.5.6 31 Mar 2014  
* REC-5180 SR1093984: will be fixed by release CT6.5.6 31 Mar 2014  
* REC-5181 SR1093986: will be fixed by release CT6.5.5 28 Feb 2014  
2014-01-16: Receiving more detailed information regarding patch / release  
versions including subtask tracking numbers  
2014-02-05: Vendor gives status update, everything according to plan: "dates  
are valid"  
2014-02-25: Updates regarding advisory release date / coordination  
2014-03-05: Asking how customers are informed about the patches  
2014-03-07: Releases are provided in SDC portal & release notes  
2014-03-07: Asking about affected product names & versions ("NICE Recording  
eXpress" vs. "Cybertech eXpress" vs. "Cybertech Myracle")  
2014-03-07: Patch (6.5 PL5) released by vendor that fixes XSS (REC-5181 -  
REC-5421 SR-1093986) and insecure cookie handling (REC-5181 -  
REC-5422 SR-1093986)  
2014-04-03: Patch (6.5 PL6) released by vendor that fixes REC-5180 - REC-5424  
SR-1093984 (root backdoor)  
No mention of fix for SQL injection subtask REC-5423  
Delay for REC-5179 - will be fixed in next release  
2014-04-08: Vendor: "The last fix is planned for the end of April  
2014"  
2014-04-30: Asking for status update, asking again about product names  
2014-05-02: Vendor: "NICE bought various providers and [...] various names for  
the product", "Myracle is an older version", "NICE advises clients  
to upgrade their system no matter what"  
2014-05-07: Vendor information from development team:  
  
* REC-5180 SR1093984: "We couldn't make it last month. Need to  
schedule it in another patch level" (REC-5423)  
  
* REC-5179 SR1089608: "We worked on this item last month and it's  
partially fixed":  
- Patch NTR 6.5 PL7 solves part of subtask REC-5419  
(unauthenticated access to functionality)  
SEC Consult could not confirm whether REC-5419 was fixed,  
because release notes of PL7 do not contain any info on this  
- Subtask REC-5420: not fixed, need to reschedule (Insufficient  
authorization of admin functions)  
- Subtask REC-5417: not fixed, removing insecure functionality  
breaks backwards compatibility with other products,  
"We need to reconsider how to approach this big change in a  
structural way"  
  
2014-05-14: Setting deadline for advisory release 2014-05-28  
2014-05-23: Asking vendor for confirmation regarding unresolved issues  
2014-05-23: Warning local CERT (Austria & Germany) about upcoming release  
2014-05-27: Asking vendor again for confirmation of patched/unpatched flaws  
2014-05-27: Vendor contact reached out to R&D team, "According to the system  
the fix is to be released end of August this year, more info to  
follow once confirmed from R&D"  
Receiving new contact person from NICE  
2014-05-27: Telling vendor again about the release on 28th May, asking for  
patch confirmation  
2014-05-28: (no answer) SEC Consult releases security advisory  
  
  
Solution:  
=========  
Partial patches are available in the NICE Software Download Center according  
to the vendor:  
https://nice.subscribenet.com  
  
* Product Updates > NICE Recording (CyberTech) > Core Software NICE Recording  
> Recording R6  
  
  
SEC Consult urges all users of NICE Recording eXpress (or Cybertech eXpress)  
to upgrade to the latest version available immediately.  
  
As of 2014-05-28, the latest patch release is NTR 6.5 PL7.  
  
  
At least the following critical issues are _still unresolved_ and not patched or  
have not been confirmed by NICE to be patched:  
* REC-5417: Unauthenticated access to sensitive files & voice recordings  
* REC-5418: Low-privileged users can access other voice recordings &  
Insufficient authorization  
* REC-5419: Unauthenticated access to functionality  
* REC-5420: Insufficient authorization of admin functions  
* REC-5423: Multiple unauthenticated SQL injection issues  
  
The vendor has not confirmed until 2014-05-28 whether all other issues have  
been fixed entirely.  
  
  
Workaround:  
===========  
No workaround available.  
  
  
Advisory URL:  
=============  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested in working with the experts of SEC Consult?  
Write to [email protected]  
  
EOF J. Greil / @2014  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.22 (GNU/Linux)  
  
iQEcBAEBAgAGBQJThakrAAoJECyFJyAEdlkKjfkH/iUXfuUpDM2LwyadKU25WAAt  
UIdUGIJfpeBWJ3sDzRourVGvNfMG+HFTLPOZg8vA49kLILScj3dwz1xe3cr1mfvl  
c1JbEeJ2Im/+sJC+es8TGMqmSXj1bgr4Hew89rCjBNrh7OwrtU3bjr3XMmKjl3AW  
GzSa71CEPA3h7YnBNtuKlGxPNRRogh1RRXq93k92lv1NTox6PqQXq5/m97jp0vjH  
B1/0BAuiAowWnrTmgj+fgId5xixplUzOWVa0D070HSEjucvZHDujo8F7YyYwOW70  
A9l2y8LwiilrXEMvLtq1ox6Z9Yf7xWfN1HriLzH0zHX3Yzo2+6O/l/XwArcJZiE=  
=9uWa  
-----END PGP SIGNATURE-----  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 May 2014 00:00Current
0.4Low risk
Vulners AI Score0.4
voice recording solutionunauthenticated accesssecurity advisoryvulnerabilitynice systemslawful interceptionsurveillancedatabaseauthenticationnetworkvulnerabilities
87