Recurity Labs GmbH http://www.recurity-labs.com email@example.com Date: 08.11.2011
Vendor: Cisco Systems Product: CUCM Environment Cisco Unified Communications Manager (CallManager) Cisco IP Phone CP-7975G Vulnerability: Directory Traversal Reversible Obfuscation Algorithm SCCP service security issues CTFTP Information Leaks Voice VLAN Separation Activated Late Affected Releases: 7.0, 8.0(2) Severity: HIGH
Vendor communication: 25.05.2010 Initial notification to PSIRT 25.05.2010 PSIRT acknowledges the report 25.05.2010 Various acknowledgements from Cisco, some issues are apparently already know. 28.05.2010 PSIRT still works on evaluations. 17.06.2010 PSIRT updates on the issues reported 03.02.2011 Requesting update from PSIRT 04.02.2011 Response that the case handler has left PSIRT 28.03.2011 A personal meeting during BlackHat Europe had effects, new case handler reports the directory traversal issue being fixed. 11.10.2011 Checking back with PSIRT and providing draft advisory 11.10.2011 Latest status updates on two issues and agreement on 2011-10-26 coordinated release 26.10.2011 Cisco releases cisco-sa-20111026-cucm 08.11.2011 Release
Overview: Product is Unified Communications solutions from Cisco Systems. From the Web Site:
"Cisco Unified Communications Manager is an enterprise-class IP communications processing system for up to 40,000 users, extensible to 80,000 users by way of a megacluster."
There is a remotely exploitable directory traversal vulnerability in CUCM that allows attackers to read internal files available to the Tomcat user. By design, this user has access to various sensitive files. Therefore this vulnerability can be abused to lead to a full system compromise of the CUCM system.
The vulnerability can be triggered before authentication.
Other vulnerabilities and issues are documented within this advisory as well.
The directory traversal vulnerability can be triggered from the following location:
Reversible Obfuscation Algorithm:
The file platformConfig.xml is used to store various configuration parameters which are used by the CUCM system. This includes network configuration as well as "encrypted" passwords. The passwords are encrypted using keys that are hardcoded within the system.
SCCP service security issues
When one sends a RegisterMessage SCCP message with a malformed "DeviceName" containing a single quote, it appears that one can inject SQL commands. Additionally, while handling the malformed "DeviceName", when certain characters are processed by the ODBC driver, the driver crashes on a memcpy().
CTFTP Information Leaks:
The CTFTP service is a custom HTTP server that listens on port 6970. The following hardcoded paths can be used to disclose information about the CUCM configuration:
- TFTP file list /ConfigFileCacheList.txt including phone configuration filename (which may contain passwords) - Other interesting locations /BinFileCacheList.txt, /FileList.txt, /PerfMon.txt, /ParamList.txt, /lddefault.cfg
Voice VLAN Separation Activated Late:
The Cisco phones have a port for connecting the PC that should not pass voice VLAN tagged packets. When the phone is properly configured it will only pass the correct packets to the PC port. It was however observed that during boot, an attacker has a time window of roughly 10 seconds where they can make receive and send voice VLAN tagged packets. This means that during that time, an attacker can gain access to the Voice VLAN without making any physical network changes (i.e. No need to disconnect the phone).
Note that this has been tested on CP-7975G with an SCCP firmware
Examples: Typical example is to read /etc/passwd:
In this case we can read more useful files such as platformConfig.xml which contains obfuscated administrative passwords:
Attackers can then login to the administrative Web interface by using the decoded credentials from this file.
To decode the credentials of "ApplUserDbPwCrypt" from platformConfig.xml: 1. Search for "ParamValue" xml tag where the "ParamDefaultValue" is "password". 2. The value of "ParamValue" can then be decrypted by making use of AES128-CBC as follows: a) The first 16 bytes are used as IV b) The second 16 bytes are the encrypted password c) Initialize the cipher using the IV and key "smetsysocsicni" d) Decrypt the encrypted password
Steps to reproduce the VLAN separation issue: 1. Start sniffing using Wireshark on the computer connected to the PC port 2. Apply the Wireshark display filter "VLAN" ; this will allow us to only see VLAN tagged packets 3. Soft restart the Cisco phone by pressing on the settings button and then # 4. Wireshark should start displaying broadcast packets from the voice VLAN for a 10 second period
Solution: Cisco Bug ID CSCth09343, see See http://www.cisco.com/warp/public/707/cisco-sa-20111026-cucm.shtml
Cisco Bug ID CSCsy45946, status unknown.
Cisco Bug ID CSCth06428, fixed.
According to Cisco, the TFTP hardcoded file names are by design.
According to Cisco, the hard phones work as designed.
Credit: Found by Sandro Gauci (EnableSecurity) and Felix Lindner (Recurity Labs)
Greets to Gaus and Cisco PSIRT.
The information provided is released "as is" without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2011 Recurity Labs GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.