Mitel mitel-cs018 - Call Data Information Disclosure Vulnerability

2020-12-02T00:00:00

Description

{"id": "1337DAY-ID-35384", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Mitel mitel-cs018 - Call Data Information Disclosure Vulnerability", "description": "", "published": "2020-12-02T00:00:00", "modified": "2020-12-02T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35384", "reporter": "Andrea Intilangelo", "references": [], "cvelist": ["CVE-2021-3394"], "immutableFields": [], "lastseen": "2021-12-18T03:36:41", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-3394"]}, {"type": "exploitdb", "idList": ["EDB-ID:49530"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161334"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-3394"]}, {"type": "exploitdb", "idList": ["EDB-ID:49530"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161334"]}, {"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 5.6}, "sourceHref": "https://0day.today/exploit/35384", "sourceData": "# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure\n# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)\n# Vendor Homepage: www.mitel.com\n# Version: mitel-cs018\n# Tested on: Windows, Linux\n\nThere is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:\n\nTrying 192.168.1.2...\nConnected to 192.168.1.2.\nEscape character is '^]'. \nUsername: mitel-cs018\nPassword: \nERROR: Invalid Username/Password pair \nUsername:\nPassword: \nUsername: ^X^W^E^Q^W\nPassword: \nERROR: Invalid Username/Password pair \nUsername: Password: \nERROR: Invalid Username/Password pair \n# in this moment a foreign call arrive from outside\nUsername: 155 OGIN 149 11:11:55 D 2\n156 ICIN 11:12: 6 D 4 0xxxXxxxxx\n157 XFIC 156 11:12: 6 151 0: 9:47 D 3\n158 ICIN 11:12: 6 D 3 0xxxXxxxxx\n159 ANSW 146 11:12:11 0: 0: 9 D 4\n160 HDIN 146 11:12:21 D 4\n162 HREC 146 11:12:27 0: 0: 6 D 4\n163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx\n164 ICIN 11:12:43 D 3 0xxxXxxxxx\n165 EXIC 146 11:12:54 0: 0:47 D 4\n166 ANSW 146 11:13: 0 0: 0:16 D 3\n167 HDIN 146 11:13: 6 D 3\n169 EXIC 146 11:13:13 156 0: 0:12 D 3\n171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx\n172 XFIC 156 11:16:53 146 0: 3:40 D 3 \n# where \"0xxXxxxxx\" are telephone numbers\nA derives table results is:\nSEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST\nNo. No. COD HH:MM:SS FROM TO HH:MM:SS No.\n___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T18:39:21", "description": "Millennium Millewin (also known as \"Cartella clinica\") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T15:15:00", "type": "cve", "title": "CVE-2021-3394", "cwe": ["CWE-276"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3394"], "modified": "2021-02-11T03:51:00", "cpe": ["cpe:/a:millewin:millewin:13.39.146.1", "cpe:/a:millewin:millewin:13.39.28.3342", "cpe:/a:millewin:millewin:13.39.028"], "id": "CVE-2021-3394", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3394", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:millewin:millewin:13.39.028:*:*:*:*:*:*:*", "cpe:2.3:a:millewin:millewin:13.39.28.3342:*:*:*:*:*:*:*", "cpe:2.3:a:millewin:millewin:13.39.146.1:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2021-02-08T17:17:46", "description": "", "published": "2021-02-08T00:00:00", "type": "packetstorm", "title": "Millewin 13.39.028 Unquoted Service Path / Insecure Permissions", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3394"], "modified": "2021-02-08T00:00:00", "id": "PACKETSTORM:161334", "href": "https://packetstormsecurity.com/files/161334/Millewin-13.39.028-Unquoted-Service-Path-Insecure-Permissions.html", "sourceData": "`# Exploit Title: Millewin - Local Privilege Escalation \n# Date: 2021-02-07 \n# Author: Andrea Intilangelo \n# Vendor Homepage: https://www.millewin.it \n# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin \n# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe \n# Version: 13.39.028 \u2013 146.1.9 \n# Tested on: Microsoft Windows 10 Enterprise x64 \n# CVE: CVE-2021-3394 \n \nMillennium Millewin also known as \"Cartella clinica\" \n \nVendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a. \n \nAffected version: 13.39.028 \n13.39.28.3342 \n13.39.146.1 \n- \n \nSummary (from online translator): \nMillewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management \nof the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional \ninnovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial \nstation. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook. \n \nVuln desc: \nThe application is prone to insecure permissions in its folders that allow unprivileged user complete control. An attacker can exploit the vulnerability by \narbitrarily replacing file(s) invoked by service(s) or startup regkey (waiting logon from privileged user) impacted. File(s) will be executed with SYSTEM privileges. \n \nThe application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of \nMillewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task. \nThis allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take \nadvantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot, as well as on a privileged account \nlogon. If successful, the malicious file(s) would execute with elevated privileges. \n \nThe application also suffers from unquoted service path issues. \n \n \n(1) Impacted executable on startup by regkey. \nAny low privileged user can elevate their privileges abusing this scenario: \n \nComputer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \nValue name: MilleLiveUpdate \nValue data: \"C:\\Program Files (x86)\\Millewin\\MilleUpdater\\MilleUpdater.exe\" \n \n \n(2) Impacted services. \nAny low privileged user can elevate their privileges abusing any of these (also unquoted) services: \n \nMillewin, operazioni pianificate MillewinTaskService C:\\Program Files (x86)\\Millewin\\GestioneTaskService.exe Auto \nPDS Server PDS Server C:\\Program Files (x86)\\Millewin\\WatchDogService.exe Auto \n \nDetails: \n \nNOME_SERVIZIO: Millewintaskservice \nTIPO : 10 WIN32_OWN_PROCESS \nTIPO_AVVIO : 2 AUTO_START \nCONTROLLO_ERRORE : 1 NORMAL \nNOME_PERCORSO_BINARIO : C:\\Program Files (x86)\\Millewin\\GestioneTaskService.exe \nGRUPPO_ORDINE_CARICAMENTO : \nTAG : 0 \nNOME_VISUALIZZATO : Millewin, operazioni pianificate \nDIPENDENZE : \nSERVICE_START_NAME : LocalSystem \n \nNOME_SERVIZIO: PDSserver \nTIPO : 10 WIN32_OWN_PROCESS \nTIPO_AVVIO : 2 AUTO_START \nCONTROLLO_ERRORE : 1 NORMAL \nNOME_PERCORSO_BINARIO : C:\\Program Files (x86)\\Millewin\\WatchDogService.exe \nGRUPPO_ORDINE_CARICAMENTO : \nTAG : 0 \nNOME_VISUALIZZATO : PDS Server \nDIPENDENZE : \nSERVICE_START_NAME : LocalSystem \n \n \n(3) Folder permissions. \nInsecure folders permissions issue: \n \nC:\\Program Files (x86)\\Millewin \nBUILTIN\\Users:(OI)(CI)(F) \nEveryone:(OI)(CI)(F) \nNT SERVICE\\TrustedInstaller:(I)(F) \nNT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F) \nNT AUTHORITY\\SYSTEM:(I)(F) \nNT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Administrators:(I)(F) \nBUILTIN\\Administrators:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Users:(I)(RX) \nBUILTIN\\Users:(OI)(CI)(IO)(ID)(accesso speciale:) \nGENERIC_READ \nGENERIC_EXECUTE \n...[SNIP]... \n \nC:\\Program Files (x86)\\Millewin\\MilleUpdater \nBUILTIN\\Users:(OI)(CI)(ID)F \nEveryone:(OI)(CI)(ID)F \nNT SERVICE\\TrustedInstaller:(ID)F \nNT SERVICE\\TrustedInstaller:(CI)(IO)(ID)F \nNT AUTHORITY\\SYSTEM:(ID)F \nNT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(ID)F \nBUILTIN\\Administrators:(ID)F \nBUILTIN\\Administrators:(OI)(CI)(IO)(ID)F \nBUILTIN\\Users:(OI)(CI)(IO)(ID)(accesso speciale:) \nGENERIC_READ \nGENERIC_EXECUTE \n...[SNIP]... \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161334/millewin1339028-escalate.txt"}], "exploitdb": [{"lastseen": "2022-01-13T05:29:39", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-08T00:00:00", "type": "exploitdb", "title": "Millewin 13.39.146.1 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3394", "2021-3394"], "modified": "2021-02-08T00:00:00", "id": "EDB-ID:49530", "href": "https://www.exploit-db.com/exploits/49530", "sourceData": "# Exploit Title: Millewin 13.39.146.1 - Local Privilege Escalation\r\n# Date: 2021-02-07\r\n# Author: Andrea Intilangelo\r\n# Vendor Homepage: https://www.millewin.it\r\n# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin \r\n# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe\r\n# Version: 13.39.028 \u2013 146.1.9\r\n# Tested on: Microsoft Windows 10 Enterprise x64\r\n# CVE: CVE-2021-3394\r\n\r\nMillennium Millewin also known as \"Cartella clinica\"\r\n\r\nVendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.\r\n\r\nAffected version: 13.39.028\r\n 13.39.28.3342\r\n 13.39.146.1\r\n -\r\n\r\nSummary (from online translator): \r\nMillewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management\r\nof the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional\r\ninnovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial\r\nstation. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.\r\n\r\nVuln desc: \r\nThe application is prone to insecure permissions in its folders that allows unprivileged user complete control. An attacker can exploit the vulnerability by\r\narbitrarily replacing file(s) invoked by service(s)/startup regkey impacted. File(s) will be executed with SYSTEM privileges. \r\n\r\nThe application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of\r\nMillewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task. \r\nThis allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take\r\nadvantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot. If successful, the malicious file(s)\r\nwould execute with the elevated privileges of the application.\r\n\r\nThe application also suffers from unquoted service path issues.\r\n\r\n\r\n(1) Impacted executable on startup by regkey.\r\nAny low privileged user can elevate their privileges abusing this scenario:\r\n\r\nComputer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name:\tMilleLiveUpdate\r\nValue data:\t\"C:\\Program Files (x86)\\Millewin\\MilleUpdater\\MilleUpdater.exe\"\r\n\r\n\r\n(2) Impacted services.\r\nAny low privileged user can elevate their privileges abusing any of these (also unquoted) services:\r\n\r\nMillewin, operazioni pianificate MillewinTaskService C:\\Program Files (x86)\\Millewin\\GestioneTaskService.exe Auto\r\nPDS Server PDS Server C:\\Program Files (x86)\\Millewin\\WatchDogService.exe Auto\r\n\r\n\tDetails:\r\n\t\r\nNOME_SERVIZIO: Millewintaskservice\r\n TIPO : 10 WIN32_OWN_PROCESS\r\n TIPO_AVVIO : 2 AUTO_START\r\n CONTROLLO_ERRORE : 1 NORMAL\r\n NOME_PERCORSO_BINARIO : C:\\Program Files (x86)\\Millewin\\GestioneTaskService.exe\r\n GRUPPO_ORDINE_CARICAMENTO :\r\n TAG : 0\r\n NOME_VISUALIZZATO : Millewin, operazioni pianificate\r\n DIPENDENZE :\r\n SERVICE_START_NAME : LocalSystem\r\n\r\nNOME_SERVIZIO: PDSserver\r\n TIPO : 10 WIN32_OWN_PROCESS\r\n TIPO_AVVIO : 2 AUTO_START\r\n CONTROLLO_ERRORE : 1 NORMAL\r\n NOME_PERCORSO_BINARIO : C:\\Program Files (x86)\\Millewin\\WatchDogService.exe\r\n GRUPPO_ORDINE_CARICAMENTO :\r\n TAG : 0\r\n NOME_VISUALIZZATO : PDS Server\r\n DIPENDENZE :\r\n SERVICE_START_NAME : LocalSystem\r\n\r\n\r\n(3) Folder permissions.\r\nInsecure folders permissions issue:\r\n\r\nC:\\Program Files (x86)\\Millewin \r\n BUILTIN\\Users:(OI)(CI)(F)\r\n Everyone:(OI)(CI)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Users:(I)(RX)\r\n\t\t\t\t\t\t\t\tBUILTIN\\Users:(OI)(CI)(IO)(ID)(accesso speciale:)\r\n GENERIC_READ\r\n GENERIC_EXECUTE\r\n ...[SNIP]...\r\n\r\nC:\\Program Files (x86)\\Millewin\\MilleUpdater \r\n BUILTIN\\Users:(OI)(CI)(ID)F\r\n\t\t\t\t\t\t\t\t\t\t\t Everyone:(OI)(CI)(ID)F\r\n NT SERVICE\\TrustedInstaller:(ID)F\r\n NT SERVICE\\TrustedInstaller:(CI)(IO)(ID)F\r\n NT AUTHORITY\\SYSTEM:(ID)F\r\n NT AUTHORITY\\SYSTEM:(OI)(CI)(IO)(ID)F\r\n BUILTIN\\Administrators:(ID)F\r\n BUILTIN\\Administrators:(OI)(CI)(IO)(ID)F\r\n BUILTIN\\Users:(OI)(CI)(IO)(ID)(accesso speciale:)\r\n GENERIC_READ\r\n GENERIC_EXECUTE\r\n ...[SNIP]...", "sourceHref": "https://www.exploit-db.com/download/49530", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

Mitel mitel-cs018 - Call Data Information Disclosure Vulnerability

Description

Related