Cisco CUCM - Multiple Vulnerabilities Nov 08 2011 02:31PM
entomology (entomology recurity-labs com)

Recurity Labs GmbH
entomology (at) recurity-labs (dot) com [email concealed]
Date: 08.11.2011

Vendor: Cisco Systems
Product: CUCM Environment
Cisco Unified Communications Manager (CallManager)
Cisco IP Phone CP-7975G
Vulnerability: Directory Traversal
Reversible Obfuscation Algorithm
SCCP service security issues
CTFTP Information Leaks
Voice VLAN Separation Activated Late
Affected Releases: 7.0, 8.0(2)
Severity: HIGH


Vendor communication:
25.05.2010 Initial notification to PSIRT
25.05.2010 PSIRT acknowledges the report
25.05.2010 Various acknowledgements from Cisco, some issues are
apparently already know.
28.05.2010 PSIRT still works on evaluations.
17.06.2010 PSIRT updates on the issues reported
03.02.2011 Requesting update from PSIRT
04.02.2011 Response that the case handler has left PSIRT
28.03.2011 A personal meeting during BlackHat Europe had
effects, new case handler reports the directory
traversal issue being fixed.
11.10.2011 Checking back with PSIRT and providing draft
11.10.2011 Latest status updates on two issues and
agreement on 2011-10-26 coordinated release
26.10.2011 Cisco releases cisco-sa-20111026-cucm
08.11.2011 Release

Product is Unified Communications solutions from Cisco Systems. From
the Web Site:

"Cisco Unified Communications Manager is an enterprise-class IP
communications processing system for up to 40,000 users, extensible to
80,000 users by way of a megacluster."

There is a remotely exploitable directory traversal vulnerability in
CUCM that allows attackers to read internal files available to the
Tomcat user. By design, this user has access to various sensitive
files. Therefore this vulnerability can be abused to lead to a full
system compromise of the CUCM system.

The vulnerability can be triggered before authentication.

Other vulnerabilities and issues are documented within this advisory
as well.


Directory Traversal:

The directory traversal vulnerability can be triggered from the
following location:


Reversible Obfuscation Algorithm:

The file platformConfig.xml is used to store various configuration
parameters which are used by the CUCM system. This includes network
configuration as well as "encrypted" passwords. The passwords are
encrypted using keys that are hardcoded within the system.

SCCP service security issues

When one sends a RegisterMessage SCCP message with a malformed
"DeviceName" containing a single quote, it appears that one can inject
SQL commands. Additionally, while handling the malformed "DeviceName",
when certain characters are processed by the ODBC driver, the driver
crashes on a memcpy().

CTFTP Information Leaks:

The CTFTP service is a custom HTTP server that listens on port 6970.
The following hardcoded paths can be used to disclose information
about the CUCM configuration:

- TFTP file list /ConfigFileCacheList.txt including phone
configuration filename (which may contain passwords)
- Other interesting locations /BinFileCacheList.txt, /FileList.txt,
/PerfMon.txt, /ParamList.txt, /lddefault.cfg

Voice VLAN Separation Activated Late:

The Cisco phones have a port for connecting the PC that should not
pass voice VLAN tagged packets. When the phone is properly configured
it will only pass the correct packets to the PC port. It was however
observed that during boot, an attacker has a time window of roughly
10 seconds where they can make receive and send voice VLAN tagged
packets. This means that during that time, an attacker can gain access
to the Voice VLAN without making any physical network changes (i.e. No
need to disconnect the phone).

Note that this has been tested on CP-7975G with an SCCP firmware

Typical example is to read /etc/passwd:


In this case we can read more useful files such as platformConfig.xml
which contains obfuscated administrative passwords:


Attackers can then login to the administrative Web interface by using
the decoded credentials from this file.

To decode the credentials of "ApplUserDbPwCrypt" from
1. Search for "ParamValue" xml tag where the "ParamDefaultValue" is
2. The value of "ParamValue" can then be decrypted by making use of
AES128-CBC as follows:
a) The first 16 bytes are used as IV
b) The second 16 bytes are the encrypted password
c) Initialize the cipher using the IV and key
d) Decrypt the encrypted password

Steps to reproduce the VLAN separation issue:
1. Start sniffing using Wireshark on the computer connected to the PC
2. Apply the Wireshark display filter "VLAN" ; this will allow us to
only see VLAN tagged packets
3. Soft restart the Cisco phone by pressing on the settings button
and then **#**
4. Wireshark should start displaying broadcast packets from the voice
VLAN for a 10 second period

Cisco Bug ID CSCth09343, see
See http://www.cisco.com/warp/public/707/cisco-sa-20111026-cucm.shtml

Cisco Bug ID CSCsy45946, status unknown.

Cisco Bug ID CSCth06428, fixed.

According to Cisco, the TFTP hardcoded file names are by design.

According to Cisco, the hard phones work as designed.


Found by Sandro Gauci (EnableSecurity) and Felix Lindner (Recurity

Greets to Gaus and Cisco PSIRT.

The information provided is released "as is" without warranty
of any kind. The publisher disclaims all warranties, either express or
implied, including all warranties of merchantability. No responsibility
is taken for the correctness of this information.
In no event shall the publisher be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if the publisher has been advised of
the possibility of such damages.

The contents of this advisory are copyright (c) 2011 Recurity Labs GmbH
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus