-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140528-0 > ======================================================================= title: Root Backdoor & Unauthenticated access to voice recordings product: NICE Recording eXpress voice recording solution (formerly called Cybertech eXpress, Cybertech Myracle maybe affected too) vulnerable version: 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.5.x fixed version: see section "Solution" and "Timeline" below impact: critical homepage: http://www.nice.com found: 2013-11-13 by: Johannes Greil, Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor & product description: ============================= "NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in real time." source: http://www.nice.com/company-overview "NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception (LI) solutions to support the fight against organized crime, drug trafficking and terrorist activities. NICE helps LEAs stay up-to-date with fast-paced technology developments. The solutions retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications, resulting in a multi-dimensional investigative picture. NICE solutions support the entire lawful interception cycle, from warrant initiation to court evidence presentation." source: http://www.nice.com/lea "NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management." Source: http://www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf Business recommendation: ======================== Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist. Vulnerability overview/description: =================================== Summary: 1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424) 2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 - subtask REC-5417) 3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 - subtask REC-5418) 4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask REC-5419) 5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask REC-5420) 6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421) 7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask REC-5423) 8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422) 9) Violation of least principle - services run as SYSTEM (not included in subtask) The strings in parenthesis of the vulnerability title are the official bug tracking number of NICE which is also referenced in their release notes. 1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424) - -------------------------------------------------------------------------- The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code. 2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 - subtask REC-5417) - -------------------------------------------------------------------------- For example, unauthenticated attackers are able to gain access to exported lists of user accounts that are being monitored/recorded. Attackers gain access to detailed information such as personal data like first/last name, email address and username/extension. Furthermore it is possible to gain _unauthenticated_ access to recorded voice calls of other users. Those calls will be stored in a temporary directory, if they have been accessed by a user via integrated media player in the web interface. 3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 - subtask REC-5418) - -------------------------------------------------------------------------- Low-privileged / standard user accounts can not only access their own voice recordings within the web interface but also other users' calls simply by iterating an ID of the integrated media player HTTP requests. 4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask REC-5419) - -------------------------------------------------------------------------- There exist multiple ASP script files that can be accessed without authentication. Attackers are e.g. able to gain access to parts of the configuration and even call internal methods that may delete or update data. 5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask REC-5420) - -------------------------------------------------------------------------- Certain ASP script files allow low-privileged user accounts access to administrative functions or functions where usually higher privileges are necessary. 6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421) - -------------------------------------------------------------------------- NICE eXpress suffers from multiple cross-site scripting (reflected and permanent) vulnerabilities, which allow an attacker to steal other users' sessions, to impersonate other users and to gain unauthorized access to the web interface and audio recordings. 7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask REC-5423) - -------------------------------------------------------------------------- The web application suffers from multiple SQL injection vulnerabilities that can be exploited without prior authentication! By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the database user "recorder". As MySQL runs with highest OS-level access rights and the database user has FILE permission, it is possible to write files to the file system. This enables further attacks leading to OS-level compromise. Attackers are able to alter database contents and therefore potentially also alter checksums of recordings. Hence stored audio recordings could be replaced by altered ones! 8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422) - -------------------------------------------------------------------------- "HttpOnly cookie" is an extension of the cookie standard from Microsoft to avoid cookie stealing attacks. It prevents JavaScript from accessing cookies. For this reason user credentials cannot be stolen directly using XSS vulnerabilities, although other XSS attacks are still possible. 9) Violation of least principle - services run as SYSTEM (not included in subtask) - -------------------------------------------------------------------------- The system is not conform to the least privilege principle. An attacker could misuse services running with highest access rights "SYSTEM" on the Windows operating system and potentially escalate his rights on several components. Proof of concept: ================= 1) root backdoor account - -------------------------------------------------------------------------- The password hash (salted - also see flaw #7) of the root user is: c00e6f05562f338a07eeac9a8ad1b7881d4a990b0b3ee2cf439ac0f55a818d2e The user does not show up within the admin web interface even when logged in as an administrator. 2) Unauthenticated access to sensitive files & voice recordings - -------------------------------------------------------------------------- The following URL shows a list of all accounts that are being monitored by NICE Recording eXpress and can be accessed by anyone without prior authentication. The list will be copied to the [removed] directory when a user with appropriate rights exports the user list within the web interface. [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched Furthermore, recorded calls made by other users will be stored in certain subdirectories of the [removed] directory. Those wave files will e.g. be copied to the directory, as soon as users listen to their recordings through the web interface, as the integrated media player will access those wave files via this URL. Attackers are able to access those calls without prior authentication! 3) Low-privileged users can access other voice recordings - -------------------------------------------------------------------------- If a user clicks on a recorded call (of his own) within the web application, the integrated media player will open it. One of following HTTP request will be sent that contains the parameter [removed]. The XML response will include the file location / path to the recorded wave file and the info if the user has appropriate access rights. The values of the [removed] parameter can easily be enumerated and the file location of other recordings will be shown. Those files can be accessed without authentication afterwards and without having to guess the file path location as this path is being provided. Request of own call recording: - ------------------------------ [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched The XML elements [removed] and [removed] are interesting for the attacker. If an attacker enumerates the [removed] parameter he will receive those XML responses including file location/path of other users' voice recordings. The [removed] XML attribute value may change to [removed] with the additional error message "You're not authorized to play back this call" (element: [removed]). But this XML response is only validated by the media player and the attacker can still listen to the call via the [removed] path directly. The [removed] XML element shows the path of the recording in the temp directory under [removed] which can then be accessed without authentication! It is assumed that further flaws exist within the media player functionality, but it has not been tested further during this short crash test. 4) Unauthenticated access to functionality - -------------------------------------------------------------------------- As an example, the following URL can be called without authentication: [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched There exist many further scripts that can be accessed! 5) Insufficient authorization of admin functions - -------------------------------------------------------------------------- As an example, the following URLs can be accessed: [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched There exist many further scripts that can be accessed! 6) Multiple cross site scripting issues - -------------------------------------------------------------------------- The following URLs are examples for reflected XSS (list is not complete): http://$host/_ifr/iframe.picker.statchannels.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.channelgroups.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.extensions.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.licenseusergroups.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.licenseusers.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.lookup.asp?frame=%27%29};alert%280%29;{%28%27 http://$host/_ifr/iframe.picker.marks.asp?frame=%27%29};alert%280%29;{%28%27 Permanent XSS: http://$host/myaccount/mysettings.edit.validate.asp Parameter: USRLNM It is assumed that many further scripts are vulnerable to XSS! 7) Multiple unauthenticated SQL injection issues - -------------------------------------------------------------------------- The following sample request (no authentication needed!) will write the textfile "secconsult.txt" in the webroot including user account information such as password hashes. As a side note: All password hashes are hashed using SHA256 with a hard-coded salt value within a pre-compiled and shipped DLL of the web application. The following python script demonstrates the algorithm: [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched Further affected scripts (list not complete): [removed] PoC exploit has been removed as no patch exists for this flaw or NICE did not confirm that it was patched MySQL runs with highest SYSTEM access rights hence attackers have access to the file system, also see vulnerability 9). It is assumed that further SQL injection vulnerabilities exist! 8) Insecure cookie handling - -------------------------------------------------------------------------- The web application only sets the "secure" cookie flag, but not "HttpOnly". 9) Violation of least principle - services run as SYSTEM - -------------------------------------------------------------------------- Nearly all CyberTech (NICE) services including MySQL run as local SYSTEM with highest privileges, such as [removed] and many more. SEC Consult did not analyse those services, some of them have network listeners and successful attacks may lead to system compromise. Vulnerable / tested versions: ============================= The vulnerabilities have been verified to exist in NICE Recording eXpress version 6.3.5. According to the release notes published by the vendor all previous releases are affected too. Vendor contact timeline: ======================== 2013-12-13: Contacted vendor through support@nice.com and given direct contact (Tier 2 Customer Support Team Lead NICE EMEA), including support ticket of customer, requesting encryption keys, attaching responsible disclosure policy 2013-12-18: Reply from vendor, no encryption keys 2013-12-18: Sending unencrypted security advisory to NICE & responsible disclosure policy again 2014-01-08: Asking for status update 2014-01-09: Receiving estimated patch dates for identified issues: * REC-5179 SR1089608: will be fixed by release CT6.5.6 31 Mar 2014 * REC-5180 SR1093984: will be fixed by release CT6.5.6 31 Mar 2014 * REC-5181 SR1093986: will be fixed by release CT6.5.5 28 Feb 2014 2014-01-16: Receiving more detailed information regarding patch / release versions including subtask tracking numbers 2014-02-05: Vendor gives status update, everything according to plan: "dates are valid" 2014-02-25: Updates regarding advisory release date / coordination 2014-03-05: Asking how customers are informed about the patches 2014-03-07: Releases are provided in SDC portal & release notes 2014-03-07: Asking about affected product names & versions ("NICE Recording eXpress" vs. "Cybertech eXpress" vs. "Cybertech Myracle") 2014-03-07: Patch (6.5 PL5) released by vendor that fixes XSS (REC-5181 - REC-5421 SR-1093986) and insecure cookie handling (REC-5181 - REC-5422 SR-1093986) 2014-04-03: Patch (6.5 PL6) released by vendor that fixes REC-5180 - REC-5424 SR-1093984 (root backdoor) No mention of fix for SQL injection subtask REC-5423 Delay for REC-5179 - will be fixed in next release 2014-04-08: Vendor: "The last fix is planned for the end of April 2014" 2014-04-30: Asking for status update, asking again about product names 2014-05-02: Vendor: "NICE bought various providers and [...] various names for the product", "Myracle is an older version", "NICE advises clients to upgrade their system no matter what" 2014-05-07: Vendor information from development team: * REC-5180 SR1093984: "We couldn't make it last month. Need to schedule it in another patch level" (REC-5423) * REC-5179 SR1089608: "We worked on this item last month and it's partially fixed": - Patch NTR 6.5 PL7 solves part of subtask REC-5419 (unauthenticated access to functionality) SEC Consult could not confirm whether REC-5419 was fixed, because release notes of PL7 do not contain any info on this - Subtask REC-5420: not fixed, need to reschedule (Insufficient authorization of admin functions) - Subtask REC-5417: not fixed, removing insecure functionality breaks backwards compatibility with other products, "We need to reconsider how to approach this big change in a structural way" 2014-05-14: Setting deadline for advisory release 2014-05-28 2014-05-23: Asking vendor for confirmation regarding unresolved issues 2014-05-23: Warning local CERT (Austria & Germany) about upcoming release 2014-05-27: Asking vendor again for confirmation of patched/unpatched flaws 2014-05-27: Vendor contact reached out to R&D team, "According to the system the fix is to be released end of August this year, more info to follow once confirmed from R&D" Receiving new contact person from NICE 2014-05-27: Telling vendor again about the release on 28th May, asking for patch confirmation 2014-05-28: (no answer) SEC Consult releases security advisory Solution: ========= Partial patches are available in the NICE Software Download Center according to the vendor: https://nice.subscribenet.com * Product Updates > NICE Recording (CyberTech) > Core Software NICE Recording > Recording R6 SEC Consult urges all users of NICE Recording eXpress (or Cybertech eXpress) to upgrade to the latest version available immediately. As of 2014-05-28, the latest patch release is NTR 6.5 PL7. At least the following critical issues are _still unresolved_ and not patched or have not been confirmed by NICE to be patched: * REC-5417: Unauthenticated access to sensitive files & voice recordings * REC-5418: Low-privileged users can access other voice recordings & Insufficient authorization * REC-5419: Unauthenticated access to functionality * REC-5420: Insufficient authorization of admin functions * REC-5423: Multiple unauthenticated SQL injection issues The vendor has not confirmed until 2014-05-28 whether all other issues have been fixed entirely. Workaround: =========== No workaround available. Advisory URL: ============= https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF J. Greil / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJThakrAAoJECyFJyAEdlkKjfkH/iUXfuUpDM2LwyadKU25WAAt UIdUGIJfpeBWJ3sDzRourVGvNfMG+HFTLPOZg8vA49kLILScj3dwz1xe3cr1mfvl c1JbEeJ2Im/+sJC+es8TGMqmSXj1bgr4Hew89rCjBNrh7OwrtU3bjr3XMmKjl3AW GzSa71CEPA3h7YnBNtuKlGxPNRRogh1RRXq93k92lv1NTox6PqQXq5/m97jp0vjH B1/0BAuiAowWnrTmgj+fgId5xixplUzOWVa0D070HSEjucvZHDujo8F7YyYwOW70 A9l2y8LwiilrXEMvLtq1ox6Z9Yf7xWfN1HriLzH0zHX3Yzo2+6O/l/XwArcJZiE= =9uWa -----END PGP SIGNATURE-----