Cisco CUCM Multiple Vulnerabilities

Summary

Cisco UCM is a prone to a Directory Traversal , Reversible Obfuscation Algorithm, SCCP service security issues, CTFTP Information Leaks,Voice VLAN Separation Activated Late Vulnerabilty.

Credit:

The information has been provided by Sandro Gauci and Felix Lindner.


Details

Vulnerable Systems:
 * Cisco Unified Communications Manager (CallManager) 7.0
 * Cisco IP Phone CP-7975G 8.0(2)

There is a remotely exploitable directory traversal vulnerability in CUCM that allows attackers to read internal files available to the Tomcat user. By design, this user has access to various sensitive files. Therefore this vulnerability can be abused to lead to a full system compromise of the CUCM system.The vulnerability can be triggered before authentication. Other vulnerabilities and issues are documented within this advisory as well.

Description:
Directory Traversal:

The directory traversal vulnerability can be triggered from the following location:

http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=[filename]

Reversible Obfuscation Algorithm:

The file platformConfig.xml is used to store various configuration parameters which are used by the CUCM system. This includes network configuration as well as ‘encrypted’ passwords. The passwords are encrypted using keys that are hardcoded within the system.

SCCP service security issues

When one sends a RegisterMessage SCCP message with a malformed ‘DeviceName’ containing a single quote, it appears that one can inject SQL commands. Additionally, while handling the malformed ‘DeviceName’, when certain characters are processed by the ODBC driver, the driver crashes on a memcpy().

CTFTP Information Leaks:

The CTFTP service is a custom HTTP server that listens on port 6970.The following hardcoded paths can be used to disclose information about the CUCM configuration:
– TFTP file list /ConfigFileCacheList.txt including phone
configuration filename (which may contain passwords)
– Other interesting locations /BinFileCacheList.txt, /FileList.txt,
/PerfMon.txt, /ParamList.txt, /lddefault.cfg

Voice VLAN Separation Activated Late:

The Cisco phones have a port for connecting the PC that should not pass voice VLAN tagged packets. When the phone is properly configured it will only pass the correct packets to the PC port. It was however observed that during boot, an attacker has a time window of roughly 10 seconds where they can make receive and send voice VLAN tagged packets. This means that during that time, an attacker can gain access to the Voice VLAN without making any physical network changes (i.e. No
need to disconnect the phone).

Note that this has been tested on CP-7975G with an SCCP firmware

Examples:
Typical example is to read /etc/passwd:

http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd

In this case we can read more useful files such as platformConfig.xml which contains obfuscated administrative passwords:

http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml

Attackers can then login to the administrative Web interface by using the decoded credentials from this file.

To decode the credentials of ‘ApplUserDbPwCrypt’ from platformConfig.xml:
1. Search for ‘ParamValue’ xml tag where the ‘ParamDefaultValue’ is ‘password’.
2. The value of ‘ParamValue’ can then be decrypted by making use of AES128-CBC as follows:
a) The first 16 bytes are used as IV
b) The second 16 bytes are the encrypted password
c) Initialize the cipher using the IV and key ‘smetsysocsicni’
d) Decrypt the encrypted password

Steps to reproduce the VLAN separation issue:
1. Start sniffing using Wireshark on the computer connected to the PC port
2. Apply the Wireshark display filter ‘VLAN’ ; this will allow us to only see VLAN tagged packets
3. Soft restart the Cisco phone by pressing on the settings button and then **#**
4. Wireshark should start displaying broadcast packets from the voice VLAN for a 10 second period

Disclosure Timeline:
25.05.2010 Initial notification to PSIRT
25.05.2010 PSIRT acknowledges the report
25.05.2010 Various acknowledgements from Cisco, some issues are apparently already know.
28.05.2010 PSIRT still works on evaluations.
17.06.2010 PSIRT updates on the issues reported
03.02.2011 Requesting update from PSIRT
04.02.2011 Response that the case handler has left PSIRT
28.03.2011 A personal meeting during BlackHat Europe had effects, new case handler reports the directory traversal issue being fixed.
11.10.2011 Checking back with PSIRT and providing draft advisory
11.10.2011 Latest status updates on two issues and agreement on 2011-10-26 coordinated release
26.10.2011 Cisco releases cisco-sa-20111026-cucm
08.11.2011 Release

Categories: News