Cisco Unified Videoconferencing multiple vulnerabilities -
--=-GBXtDnncfn8l2yShf+vj
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Matta Consulting - Matta Advisory
http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001
CVE reference: CVE-2010-3037 CVE-2010-3038
Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,354=
5,
5110,5115 Systems and unspecified Radvision systems
Version: 7.0.1.13.3 at least and more likely all
Date: 2010-August-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Researcher: Florent Daigniere
Vendor Status: Notified, working on a patch
Vulnerability Disclosure Policy:
http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Description:
During an external pentest exercise for one of our clients, multiple
vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 whi=
ch
allowed us to ultimately gain access to the internal network.
- - Hard-coded credentials - CVE-2010-3038
Three accounts have a login shell and a password the administrator can neit=
her
disable nor change. The affected accounts are "root", "cs" and "develop".
Matta didn't spend the CPU cycles required to get those passwords but will
provide the salted hashes to interested parties. The credentials can be us=
ed
against both the FTP and the SSH daemon running on the device.
- - Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation
of what it might be useful for. User credentials created from the
web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root.
- - Weak session IDs on the web interface
Session IDs are timestamps of when the user logged-in and are trivial to
forge. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.=20
Using this vulnerability, a non-authenticated attacker can authenticate.
- - Usage of cookies to store credentials
Credentials to access the web interface are stored in base64 format in the
cookie sent by the browser. Over http in default configuration. While user=
s
are not expected to reuse their credentials, in practice they do; this is
an information-disclosure bug.
- - Remote Command Injection on the web-interface - CVE-2010-3037
The script at /goform/websXMLAdminRequestCgi.cgi is vulnerable to remote
command injection (post authentication). Many parameters can be abused,
including but not limited to the "username" field. Obviously, as the
webserver is running as root, it can lead to complete compromise of the
device.
- - Weak obfuscation of credentials
The configuration file /opt/rv/Versions/CurrentVersion/Mcu/Config/Mcu.val
contains obfuscated passwords which are trivial to reveal. This is an
information-disclosure bug. Best practices recommend using PBKDF2 to store
passwords.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Impact
If successful, a malicious third party can get full control of the device a=
nd
harvest user passwords with little to no effort. The Attacker might
reposition and launch an attack against other parts of the target
infrastructure from there.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Versions affected:
Firmware version 7.0.1.13.3 tested. All deployed versions are probably
vulnerable.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTE=
w
LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2J=
m
dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQ=
u
c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCg=
u
LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1=
h
IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7Owo=
J
CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCk=
g
bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA=
7
OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQl=
j
ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw=
9
bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzs=
K
CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjU=
p
IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVI=
g
OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7Cgk=
J
ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSB=
s
PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs=
7
CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk=
5
NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw=
9
NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzs=
K
CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Credits
This vulnerability was discovered and researched by Florent Daigniere from
Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the
coordination effort.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
History
30-07-10 initial discovery
05-08-10 our client has mitigated the risk for his infrastructure
....
23-08-10 initial attempt to contact the vendor
23-08-10 sent pre-advisory to the vendor
PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0
23-08-10 reply from the vendor, case PSIRT-0217563645 is open
....
21-09-10 agreement on the public disclosure date
....
08-11-10 planned disclosure date (missed), CVE assignments
....
17-11-10 public disclosure
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
About Matta
Matta is a privately held company with Headquarters in London, and a Europe=
an
office in Amsterdam. Established in 2001, Matta operates in Europe, Asia=
,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tigerscheme training;
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
http://www.trustmatta.com
http://www.trustmatta.com/webapp_va.html
http://www.trustmatta.com/network_va.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and fitnes=
s
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages.
--=-GBXtDnncfn8l2yShf+vj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EABEIAAYFAkzjrrYACgkQK4WlVyBR8nT2ewD/VsQQEJI1q4zUVGGPTyvhplwH
/Rz4m1vePOJwABm/8dQA/RBf3jqHHSab9qjp6tcf0ZzdB2DYWavahztVT5VmVVoO
=2RnA
-----END PGP SIGNATURE-----
--=-GBXtDnncfn8l2yShf+vj--