Matta Consulting - Matta Advisory http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001 CVE reference: CVE-2010-3037 CVE-2010-3038 Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545, 5110,5115 Systems and unspecified Radvision systems Version: 22.214.171.124.3 at least and more likely all Date: 2010-August-03 Security risk: Critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Researcher: Florent Daigniere Vendor Status: Notified, working on a patch Vulnerability Disclosure Policy: http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: http://www.trustmatta.com/advisories/MATTA-2010-001.txt
During an external pentest exercise for one of our clients, multiple vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which allowed us to ultimately gain access to the internal network.
Three accounts have a login shell and a password the administrator can neither disable nor change. The affected accounts are "root", "cs" and "develop". Matta didn't spend the CPU cycles required to get those passwords but will provide the salted hashes to interested parties. The credentials can be used against both the FTP and the SSH daemon running on the device.
There is an FTP daemon (vsftpd) running but no mention in the documentation of what it might be useful for. User credentials created from the web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It allows port-forwarding and socks proxies to be created, X11 to be forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root.
Session IDs are timestamps of when the user logged-in and are trivial to forge. There are numerous ways of remotely gathering the remote time and uptime, the easiest being to ask over RPC... Assuming that a user or an administrator logged into the device shortly after it was powered up, and that the network connectivity is fast, it is practical to bruteforce a valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate.
Credentials to access the web interface are stored in base64 format in the cookie sent by the browser. Over http in default configuration. While users are not expected to reuse their credentials, in practice they do; this is an information-disclosure bug.
The script at /goform/websXMLAdminRequestCgi.cgi is vulnerable to remote command injection (post authentication). Many parameters can be abused, including but not limited to the "username" field. Obviously, as the webserver is running as root, it can lead to complete compromise of the device.
The configuration file /opt/rv/Versions/CurrentVersion/Mcu/Config/Mcu.val contains obfuscated passwords which are trivial to reveal. This is an information-disclosure bug. Best practices recommend using PBKDF2 to store passwords.
If successful, a malicious third party can get full control of the device and harvest user passwords with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there.
===================================================================== Versions affected:
Firmware version 126.96.36.199.3 tested. All deployed versions are probably vulnerable.
===================================================================== Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the device from its network socket.
===================================================================== Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7 OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9 bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7 CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5 NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9 NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the coordination effort.
30-07-10 initial discovery 05-08-10 our client has mitigated the risk for his infrastructure ... 23-08-10 initial attempt to contact the vendor 23-08-10 sent pre-advisory to the vendor PSIRT on firstname.lastname@example.org using PGP id 0xCF14FEE0 23-08-10 reply from the vendor, case PSIRT-0217563645 is open ... 21-09-10 agreement on the public disclosure date ... 08-11-10 planned disclosure date (missed), CVE assignments ... 17-11-10 public disclosure
===================================================================== About Matta
Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tigerscheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner.
http://www.trustmatta.com http://www.trustmatta.com/webapp_va.html http://www.trustmatta.com/network_va.html
===================================================================== Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages.