TC-SA-2011-01: Multiple vulnerabilities in OmniTouch Instant Communication
Suite

Published: 2011/10/24
Advisory-Version: 1.0

References: 
 - Alcatel Lucent Vulnerability Statement 2011003 Multiple vulnerabilities
in OmniTouch Instant Communication Suite
 - CVE-2011-4058 - multiple XSS vulnerabilities in Alcatel-Lucent
OmniTouch 8400 Instant Communication Suite 
 - CVE-2011-4059 - multiple CSRF vulnerabilities in Alcatel-Lucent
OmniTouch 8400 Instant Communication Suite 
 - Cert-IST reference number: Cert-IST/AV-2011.583 
 - URL of this advisory (used for updates):
http://www.tele-consulting.com/advisories/TC-SA-2011-01.txt

Affected products:
    Alcatel Lucent OmniTouch 8400 Instant Communications
    Suite (ICS) Version 6.1 Patch 102a
    (older releases have not been tested)

Summary:
    Alcatel Lucent's ICS offers Unified Communication services
    over several access ways, like handhelds and web-clients.
    The web-client WebICS offers end users services like access
    to personal and global address books, initiate calls, call
    redirects etc.
    Several common flaws could be found in WebICS like reflected
    and stored XSS as well as CSRF. In Webadmin reflected XSS
    could be found.

Possible Effects:
    One could use a stored XSS in the phonebook and change the
    end users phone configuration like DND or call redirect.

Vulnerable Scripts WebICS:
    CSRF
     - /websoftphone/servlet/DispPhoneSet
     - /websoftphone/servlet/DispRTC
     - /websoftphone/servlet/DispPhoneSet

    stored XSS:
     - all Input-Fields of the phonebook

    reflected XSS:
     
     - /websoftphone/jsp/CBCallBackCont.jsp, parameter list
     - /websoftphone/jsp/PhoneBookCont.jsp, parameter udatab
     - /websoftphone/jsp/CustoData.jsp, parameter openwin
   - /websoftphone/jsp/RTCNavigator.jsp, parameter sessionid
   - /websoftphone/servlet/DispLogon, parameter next
     - /websoftphone/servlet/DispLogon, parameter main


Vulnerable Scripts WebAdmin:
    reflected XSS:
     - /ClientMgmt/ClientMgmt, parameter action

Examples CSRF:
    - Lock a phone
    https://webics.yourdomain.local/websoftphone/servlet/ \
    DispPhoneSet?method=setLock

    - Dial
    https://webics.yourdomain.local/websoftphone/servlet/ \
    DispRTC?method=makeCall&number=XXXX

    - Set DND
    https://webics.yourdomain.local/websoftphone/servlet/ \
    DispPhoneSet?method=setDoNotDisturb

    - Set call forward
    https://webics.yourdomain.local/websoftphone/servlet/ \
    DispPhoneSet?method=setForward&type=immediate& \
    FwdTarget=onSomeone&number=xxxx

    https://webics.yourdomain.local/websoftphone/jsp/ \
    CBCallBackCont.jsp?list=%22%3E%3CFRAME%20SRC=%22 \
    http://www.boeserangreifer.de%22%3E%3C&rand=0

Possible solutions:
    - install the vendor supplied hotfix

Disclosure Timeline:
    2011/02/17 vendor contacted via psirt.security@alcatel-lucent.com
    2011/02/18 initial vendor response 
    2011/06/27 vendor sent an internal advisory to business partners for
some reflected XSS issues
    2011/07/20 vendor sent an updated internal advisory to business
partners included a hotfix for some reflected XSS issues
    2011/09/06 vendor sent an updated internal advisory to business
partners
    2011/09/26 vendor sent an updated internal advisory to business
partners addressing all issues
    2011/10/24 coordinated public disclosure

Credits:
    Tobias Glemser (tglemser@tele-consulting.com)
    Tele-Consulting security networking training GmbH, Germany
    www.tele-consulting.com
    
Disclaimer:
    All information is provided without warranty. The intent is to 
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore Tele-Consulting shall 
    not be liable for any direct or indirect damages that might be 
    caused by using this information.