exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sonexis ConferenceManager Information Disclosure

Sonexis ConferenceManager Information Disclosure
Posted Feb 14, 2012
Authored by Netragard | Site netragard.com

Netragard, L.L.C Advisory - Sonexis ConferenceManager versions up to 10.x suffer from multiple information disclosure and lack of authentication vulnerabilities.

tags | exploit, vulnerability, info disclosure
SHA-256 | 0187c6fccee74ba3fb6221abae73c77e6c4eedd2deda0b9b3c2c76138719014d

Sonexis ConferenceManager Information Disclosure

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Netragard Security Advisory - Sonexis ConferenceManager - 20120201

[POSTING NOTICE]

If you intend to post this advisory on your web page please create a
link back
to the original Netragard advisory as the contents of the advisory may
change.

For more information about Netragard visit:

http://www.netragard.com

[Advisory Information]

Contact : sales@netragard.com
Advisory ID : NETRAGARD-20120201
Researcher : Titon
Product Name : Sonexis ConferenceManager
Product Version : All Versions up to 10.x
Vendor Name:Sonexis Technology, Inc.
Type of Vulnerability : Authorization Failure, Credential Leak
Impact : Network Compromise / Critical
Date Discovered : 01/25/2012
Vendor Notified : 01/31/2012

[Product Description]

"ConferenceManager plugs right into your current networks, leveraging your
existing investments -- no need for costly upgrades or new infrastructure.
And, because you own your equipment, you can scale the number and size
of your conferences without scaling your costs. Say goodbye to those
pay-as-you go subscription costs and say hello to savings as high as 80%"

Taken From: http://www.sonexis.com/products/index.asp

[Technical Summary]

| Vulnerability 1 |

The Sonexis ConferenceManager publishes credentials (often domain
credentials) to a web page that is accessible without authentication. In
many
cases these credentials can be used to access otherwise sensitive and
restricted resources that include but are not limited to sharepoint, vpn
services, etc.

| Vulnerability 2 |

The Sonexis ConferenceManager database can be downloaded, modified,
and uploaded again by anyone. This can result in the theft of audio
recordings
and potentially sensitive data as well as a compromise of the system.

[Technical Details]

The Sonexis ConferenceManager fails to properly check and enforce
authorization
boundaries. Any user that can access the Sonexis ConferenceManager's web
interface can access the "settings.asp" page without restriction or
authentication.
This page provides an attacker with two opportunities which are:

| Vulnerability 1 |

[1] The settings.asp page discloses sensitive credentials. These
credentials vary between installs but seem to fall into three
categories which are:

- - Domain Credentials (with or without admin privileges)
- - System Credentials (local user)
- - Not Yet Set (page not yet used?)

Netragard discovered this vulnerability during a customer
engagement. Netragard was able to use this vulnerability to
compromise the customers entire IT infrastructure including
the Domain Controller.

[2] The settings.asp page allows anyone to download the entire
Sonexis ConferenceManager SQL database without authentication.
Once downloaded the attacker can modify the database and may
be able to upload the modified database back to the Sonexis
ConferenceManager.

| Vulnerability 2 |

[1] The download.asp page is accessible without authentication.
This page allows anyone to download the contents of the
Sonexis ConferenceManager database. The contents (shown in the
exploitation section) include audio recordings, configuration
settings, etc. The original file is a zip file that when
decompressed produces multiple SQL files.

[2] The upload.asp page is accessible without authentication.
This page allows anyone to upload a backed up version of the
Sonexis ConfrenceManager database to the system. This can be
used to compromise the system if an attacker injects a backdoor
into the SQL database. Other attacks may be possible with the
upload feature.

NOTE: An attacker can use search engines like Google, Yahoo, Bing,
etc. to identify vulnerable Sonexis ConfrenceManager systems. To
demonstrate this Netragard created a Proof of Concept Google
scanner and was able to identify the following ConferenceManager
versions, each of which is vulnerable. The scanner was limited
to a 50 identifications.

Number Identified Version Vulnerable
- ----------------- ------- ----------
2 10.0.40 Yes
2 6.1.39 Yes
1 8.0.15 Yes
1 9.1.18 Yes
5 9.2.11 Yes
26 9.3.14 Yes

[Proof Of Concept]

Exploiting Vulnerability 1

No exploit required. Simply open your favorite web browser and
visit your Sonexis ConferenceManager web interface. Then append
"/admin/backup/settings.asp" to the URI as shown below.

http://<YOUR SONEXIS URL>/admin/backup/settings.asp

To extract credentials view the source and search for the
following text.

INPUT TYPE="text" NAME="uid" value="XXXXX" <-- Username
INPUT TYPE="PASSWORD" NAME="pwd" value="XXXXX" <-- Password

|Exploiting Vulnerability 2, Download|

No exploit or authentication is required to download or upload
the Sonexis ConferenceManager database. To download the db
you must first install samba. If you are using ubuntu this can
be done with a simple "apt-get install samba". Then configure
youre "smb.conf" file in the following way:

(file is located here: "/etc/samba/smb.conf")

[tmp]
comment = tmp
path = /tmp/smb
browseable = yes
read only = no
guest ok = yes

Once samba is configured the Sonexis ConfrenceManager system
will allow you to download the database. To begin the download
visit the following URL: (No authentication is required)

http://<YOUR SONEXIS URL>/admin/backup/download.asp

By default the SonexisConfig.dat file is a zip file. You can
unzip the contents of the file and you will find the following
files after extraction:

communities.dat
database.bak
recorded_audio.dat <-- Potential confidential information
telephony.dat
timezone.dat
uploadinfo.dat

Loading these files into a Microsoft SQL database allows you
to read, listen to, or otherwise view the contents.

|Exploiting Vulnerability 2, Upload|

It is also possible to upload a (modified) SonexisConfig.dat file
without authentication. To do so, simply visit the following URL:

http://<YOUR SONEXIS URL>/admin/backup/upload.asp


[Vendor Status and Chronology]

01/25/2012 - Vulnerability discovered during customer engagement
01/26/2012 - Vulnerability confirmed on 9.3.14, 10.0.40
01/31/2012 - Vendor Contacted but no information provided
02/01/2012 - Vendor Responded
02/02/2012 - Netragard identifies Sonexis Customers
02/02/2012 - Netragard Pre-releases advisory to Sonexis customers
02/06/2012 - Vendor Receives Full Details & Creates Fix
02/07/2012 - Vendor Notifies Customers
02/13/2012 - Publication

More information on this can be found on Netragard's blog at:

http://pentest.snosoft.com/2012/02/13/netragard-uncovers-0-days-in-sonexis-conferencemanager/

[Solution]

Apply the vendor supplied patch. Contact Sonexis for more information.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85u9kACgkQQwbn1P9Iaa2nmgCfTV4qPVTan35fgWEoiM42DxQf
YasAn1veALCuf6nVHzxPBsLM/nhDJ3d4
=Dg+E
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close