Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco Call Manager Privilege Escalation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco Call Manager Privilege Escalation
Date: 19 Jan 2006 16:49:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco Call Manager Privilege Escalation
------------------------------------------------------------------------


SUMMARY

Cisco CallManager (CCM) is "the software-based call-processing component 
of the Cisco IP telephony solution which extends enterprise telephony 
features and functions to packet telephony network devices such as IP 
phones, media processing devices, voice-over-IP (VoIP) gateways, and 
multimedia applications". Cisco CallManager versions with Multi Level 
Administration (MLA) enabled may be vulnerable to privilege escalations, 
which may result in read-only users gaining administrative access.

Successful exploitation of the vulnerability may result in privilege 
escalation where read-only administrative users can gain full 
administrative privileges and create, delete, or reset devices.

DETAILS

Vulnerable Systems:
 * Cisco CallManager 3.2 and earlier
 * Cisco CallManager 3.3, versions earlier than 3.3(5)SR1
 * Cisco CallManager 4.0, versions earlier than 4.0(2a)SR2c
 * Cisco CallManager 4.1, versions earlier than 4.1(3)SR2

Complete this procedure to check if Multi Level Administration is enabled:
 1. Access CCM Administration with this URL: http://<CCMServer>/ccmadmin, 
where <CCMServer> specifies the IP address or name of the Cisco 
CallManager server.
 2. Choose User > Access Rights > Configure MLA Parameters. The MLA 
Enterprise Parameter Configuration page displays.
 3. MLA is enabled if the Enable MultiLevelAdmin enterprise parameter is 
set to True.

An administrative user with read-only permission can use a crafted URL on 
the CCMAdmin web page to escalate privileges to a full administrative 
level. This vulnerability applies to users who are authenticated to the 
read-only administrative level. Users with no administrative access and 
users with full administrative permissions continue to work as expected.

Administrative users with access privilege Read Only should not be 
confused with the standard User Group named "Read Only" which is created 
at installation. For further details on user groups and assigning access 
privileges, please refer to this URL:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022471>
 Multilevel Administration Access Configuration

* CSCef75361, CSCsb12765, CSCsb88649, CSCsc26275?CCMAdmin Read Only User 
Can Escalate Privileges

It is possible to eliminate the ability for an attacker to escalate 
privileges from Read Only to Full Access without applying the service 
release by not using the Read Only access privilege, but instead only 
using the No Access or Full Access privileges. This is not an ideal 
solution, but can provide a temporary workaround.

For detailed instructions on configuring the privileges for a User Group 
within Cisco CallManager 4.1(3) see the Multilevel Administration Access 
Configuration:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022609>
 Assigning Privileges to a User Group

Section of the Cisco CallManager Administration Guide:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_book09186a00803be4ec.html>
 Cisco CallManager Administration Guide, Release 4.1(3)


ADDITIONAL INFORMATION

The original article can be found at:
 <http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco Call Manager Privilege Escalation, SecuriTeam <=
Previous by Date:  [NEWS] Cisco Call Manager DoS, SecuriTeam
Next by Date:  [NEWS] Blogger.com HTTP Response Splitting Vulnerability, SecuriTeam
Previous by Thread:  [NEWS] Cisco Call Manager DoS, SecuriTeam
Next by Thread:  [NEWS] Blogger.com HTTP Response Splitting Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]