Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulne

from [m123303] Network Security [Permanent Link]
Subject: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability
Date: 22 Feb 2005 23:29:52 -0000 


Hello there!

I suspect there is a vulnerability in Avaya IP Office Phone Manager, both light 
and professional edition. The vulnerability is based on the fact that IP Office 
Phone Manager stores sensitive data such as username, password and PBX IP 
address under a key within the Windows Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
"UserName"="Joe Smith"
"Password"=""
"PBXAddress"="10.154.1.60"

The previous example shows how and where the sensitive data is stored in the 
registry. I've had the opportunity to check this in several hosts of my 
organization. In all these hosts the password always appears as blank password 
("Password"=""). However, I do not know if this is due to the fact that those 
employees were simply using blank passwords to access the PBX or because the IP 
Office Phone Manager actually saves the password somewhere else.

The previous information could be accessed by an attacker with local access or 
remote access (through the "Remote Registry" service) to the Windows registry  
of a certain host. Administrative privileges would be required, at least if the 
default configuration is used.

In case the attacker is successful at getting access to the previous Windows 
registry key, he/she would be able to impersonate an employee simply by using 
the IP Office Phone Manager software and logging to the PBX with the same 
username and password. This means that the attacker could do things such as 
check the victim's voicemails and make phonecalls within the organization under 
the victim's name.

I have been researching in google and serveral vulnerability DBs to see if this 
problem was already known but I couldn't find anything on it. This is why I 
decided to post this vulnerability here in the hope that it is indeed new to 
the public. 

I have been able to check that the usernames and IP addresses found in this 
registry key are actually real information, meaning that the IP address 
actually matches the IP address of the PBX within the organization and that the 
username matches the username used to access the PBX as well. So now I just 
need someone to help me to find out if the passwords stored in this key are 
indeed real or simply a "obsfucation technique".

Regards,
pagvac (Adrian Pastor)
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  phpBB 2.0.12 released, Snapdragon
Next by Date:  Re: Arkeia Network Backup Client Remote Access, Vincent Archer
Previous by Thread:  phpBB 2.0.12 released, Snapdragon
Next by Thread:  Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability, grutz
Indexes:  [Date] [Thread] [Top] [All Lists]