________________________________________________________________________

Recurity Labs GmbH
http://www.recurity-labs.com
entomology@recurity-labs.com
Date: 08.11.2011
________________________________________________________________________

Vendor:             Cisco Systems
Product:            CUCM Environment
                      Cisco Unified Communications Manager (CallManager)
                      Cisco IP Phone CP-7975G
Vulnerability:      Directory Traversal
                    Reversible Obfuscation Algorithm
                    SCCP service security issues
                    CTFTP Information Leaks
                    Voice VLAN Separation Activated Late
Affected Releases:  7.0, 8.0(2)
Severity:           HIGH

________________________________________________________________________

Vendor communication:
  25.05.2010        Initial notification to PSIRT
  25.05.2010        PSIRT acknowledges the report
  25.05.2010        Various acknowledgements from Cisco, some issues are
                    apparently already know.
  28.05.2010        PSIRT still works on evaluations.
  17.06.2010        PSIRT updates on the issues reported
  03.02.2011        Requesting update from PSIRT
  04.02.2011        Response that the case handler has left PSIRT
  28.03.2011        A personal meeting during BlackHat Europe had
                    effects, new case handler reports the directory
                    traversal issue being fixed.
  11.10.2011        Checking back with PSIRT and providing draft
                    advisory
  11.10.2011        Latest status updates on two issues and
                    agreement on 2011-10-26 coordinated release
  26.10.2011        Cisco releases cisco-sa-20111026-cucm
  08.11.2011        Release
________________________________________________________________________

Overview:
  Product is Unified Communications solutions from Cisco Systems. From
  the Web Site:

  "Cisco Unified Communications Manager is an enterprise-class IP
  communications processing system for up to 40,000 users, extensible to
  80,000 users by way of a megacluster."

  There is a remotely exploitable directory traversal vulnerability in
  CUCM that allows attackers to read internal files available to the
  Tomcat user. By design, this user has access to various sensitive
  files. Therefore this vulnerability can be abused to lead to a full
  system compromise of the CUCM system.

  The vulnerability can be triggered before authentication.

  Other vulnerabilities and issues are documented within this advisory
  as well.


Description:

  Directory Traversal:

  The directory traversal vulnerability can be triggered from the
  following location:

  http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=[filename]


  Reversible Obfuscation Algorithm:

  The file platformConfig.xml is used to store various configuration
  parameters which are used by the CUCM system. This includes network
  configuration as well as "encrypted" passwords. The passwords are
  encrypted using keys that are hardcoded within the system.


  SCCP service security issues

  When one sends a RegisterMessage SCCP message with a malformed
  "DeviceName" containing a single quote, it appears that one can inject
  SQL commands. Additionally, while handling the malformed "DeviceName",
  when certain characters are processed by the ODBC driver, the driver
  crashes on a memcpy().


  CTFTP Information Leaks:

  The CTFTP service is a custom HTTP server that listens on port 6970.
  The following hardcoded paths can be used to disclose information
  about the CUCM configuration:

    - TFTP file list /ConfigFileCacheList.txt including phone
      configuration filename (which may contain passwords)
    - Other interesting locations /BinFileCacheList.txt, /FileList.txt,
      /PerfMon.txt, /ParamList.txt, /lddefault.cfg


  Voice VLAN Separation Activated Late:

  The Cisco phones have a port for connecting the PC that should not
  pass voice VLAN tagged packets. When the phone is properly configured
  it will only pass the correct packets to the PC port. It was however
  observed that during boot, an attacker has a time window of roughly
  10 seconds where they can make receive and send voice VLAN tagged
  packets. This means that during that time, an attacker can gain access
  to the Voice VLAN without making any physical network changes (i.e. No
  need to disconnect the phone).

  Note that this has been tested on CP-7975G with an SCCP firmware


Examples:
   Typical example is to read /etc/passwd:

http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd

   In this case we can read more useful files such as platformConfig.xml
   which contains obfuscated administrative passwords:

http://[cucm]:8080/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml

   Attackers can then login to the administrative Web interface by using
   the decoded credentials from this file.

   To decode the credentials of "ApplUserDbPwCrypt" from
   platformConfig.xml:
   1. Search for "ParamValue" xml tag where the "ParamDefaultValue" is
      "password".
   2. The value of "ParamValue" can then be decrypted by making use of
      AES128-CBC as follows:
            a) The first 16 bytes are used as IV
            b) The second 16 bytes are the encrypted password
            c) Initialize the cipher using the IV and key
               "smetsysocsicni"
            d) Decrypt the encrypted password

   Steps to reproduce the VLAN separation issue:
   1. Start sniffing using Wireshark on the computer connected to the PC
      port
   2. Apply the Wireshark display filter "VLAN" ; this will allow us to
      only see VLAN tagged packets
   3. Soft restart the Cisco phone by pressing on the settings button
      and then **#**
   4. Wireshark should start displaying broadcast packets from the voice
      VLAN for a 10 second period

Solution:
  Cisco Bug ID CSCth09343, see
  See http://www.cisco.com/warp/public/707/cisco-sa-20111026-cucm.shtml

  Cisco Bug ID CSCsy45946, status unknown.

  Cisco Bug ID CSCth06428, fixed.

  According to Cisco, the TFTP hardcoded file names are by design.

  According to Cisco, the hard phones work as designed.

________________________________________________________________________

Credit:
  Found by Sandro Gauci (EnableSecurity) and Felix Lindner (Recurity
  Labs)

  Greets to Gaus and Cisco PSIRT.
________________________________________________________________________

The information provided is released "as is" without warranty
of any kind. The publisher disclaims all warranties, either express or
implied, including all warranties of merchantability. No responsibility
is taken for the correctness of this information.
In no event shall the publisher be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if the publisher has been advised of
the possibility of such damages.

The contents of this advisory are copyright (c) 2011 Recurity Labs GmbH
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
________________________________________________________________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/