ACME-mitel.txt

2003-07-28T00:00:00
ID PACKETSTORM:31445
Type packetstorm
Reporter Acme
Modified 2003-07-28T00:00:00

Description

                                        
                                            `There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:  
  
Trying 192.168.1.2...  
Connected to 192.168.1.2.  
Escape character is '^]'.   
  
Username: mitel-cs018  
Password:   
  
ERROR: Invalid Username/Password pair   
  
Username:  
Password:   
  
Username: ^X^W^E^Q^W  
Password:   
  
ERROR: Invalid Username/Password pair   
  
Username: Password:   
  
ERROR: Invalid Username/Password pair   
  
# in this moment a foreign call arrive from outside  
  
Username: 155 OGIN 149 11:11:55 D 2  
156 ICIN 11:12: 6 D 4 0xxxXxxxxx  
157 XFIC 156 11:12: 6 151 0: 9:47 D 3  
158 ICIN 11:12: 6 D 3 0xxxXxxxxx  
159 ANSW 146 11:12:11 0: 0: 9 D 4  
160 HDIN 146 11:12:21 D 4  
162 HREC 146 11:12:27 0: 0: 6 D 4  
163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx  
164 ICIN 11:12:43 D 3 0xxxXxxxxx  
165 EXIC 146 11:12:54 0: 0:47 D 4  
166 ANSW 146 11:13: 0 0: 0:16 D 3  
167 HDIN 146 11:13: 6 D 3  
169 EXIC 146 11:13:13 156 0: 0:12 D 3  
171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx  
172 XFIC 156 11:16:53 146 0: 3:40 D 3   
  
# where "0xxXxxxxx" are telephone numbers  
  
A derives table results is:  
  
SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST  
No. No. COD HH:MM:SS FROM TO HH:MM:SS No.  
___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______  
  
  
  
So, it's too easy to know the telephonic's "movement" inside a lan that use this fucked system of VoIP.  
  
  
(an italian version of this advisory is available on olografix.org/acme/mitel.txt)  
  
  
  
  
acme  
  
acme@paranoici DOT org  
acme@olografix DOT org  
`