Hello there!

I suspect there is a vulnerability in Avaya IP Office Phone Manager, both light and professional edition. The vulnerability is based on the fact that IP Office Phone Manager stores sensitive data such as username, password and PBX IP address under a key within the Windows Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
"UserName"="Joe Smith"
"Password"=""
"PBXAddress"="10.154.1.60"

The previous example shows how and where the sensitive data is stored in the registry. I've had the opportunity to check this in several hosts of my organization. In all these hosts the password always appears as blank password ("Password"=""). However, I do not know if this is due to the fact that those employees were simply using blank passwords to access the PBX or because the IP Office Phone Manager actually saves the password somewhere else.

The previous information could be accessed by an attacker with local access or remote access (through the "Remote Registry" service) to the Windows registry  of a certain host. Administrative privileges would be required, at least if the default configuration is used.

In case the attacker is successful at getting access to the previous Windows registry key, he/she would be able to impersonate an employee simply by using the IP Office Phone Manager software and logging to the PBX with the same username and password. This means that the attacker could do things such as check the victim's voicemails and make phonecalls within the organization under the victim's name.

I have been researching in google and serveral vulnerability DBs to see if this problem was already known but I couldn't find anything on it. This is why I decided to post this vulnerability here in the hope that it is indeed new to the public. 

I have been able to check that the usernames and IP addresses found in this registry key are actually real information, meaning that the IP address actually matches the IP address of the PBX within the organization and that the username matches the username used to access the PBX as well. So now I just need someone to help me to find out if the passwords stored in this key are indeed real or simply a "obsfucation technique".

Regards,
pagvac (Adrian Pastor)