I. SYNOPSIS

Release Date: 07/19/2006

Affected Application: Cisco CallManager 3.1 and up (versions prior to 3.1 were not tested but may
still be vulnerable)

Severity If Exploited: High

Impact: Arbitrary configuration of phone system/Theft of individual phone users' credentials

Mitigating Factors: Requires user action (following a link, visiting a resource with an embedded
redirect)

Initial Notification of Vendor: 10/24/2005

Discovery: Jake Reynolds, Senior Security Engineer -- FishNet Security

Contributions: Arian Evans, Senior Security Engineer - FishNet Security

Permanent Advisory Location:
http://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+CallManager+XSS+Advisory.htm 

II. EXECUTIVE SUMMARY

Vulnerability Overview:
 
The web interface used to administer Cisco CallManager software suffers from a lack of input
validation and output encoding. As a result, an attacker could craft a request that causes the
CallManager web interface to include malicious JavaScript in its response. If a victim can be made to
submit this specially crafted request, the response will be processed, and the malicious JavaScript
payload executed in the browser of the victim.

Attack Overview: 

If such a request is provided to CallManager administrators (either in an email or embedded in an html
resource using something like an automatic redirect) an attacker can perform a variety of nefarious
actions. Depending on the scripted payload, these attacks are commonly referred to as cross-site
scripting (XSS), session riding, and cross-site request forgery (CSRF). Potential threats that can be
realized through these vulnerabilities could include but are not limited to:

* Deletion of phone system components such as devices, partitions, calling search spaces, etc

* Reconfiguration of phone system components such as route plans, global directory, services, etc

* Theft of global directory user credentials

* Theft of "Cisco CallManager User Options" credentials or session token leading to user identity
spoofing within that specific interface of CallManager (Utilization of the stolen credentials or
session tokens would require direct connectivity to CallManager.)

III. TECHNICAL DETAIL

Vulnerability Details: 
The web interfaces used to administer Cisco CallManager exhibit input validation/output encoding
vulnerabilities throughout the applications. Specifically, the "Cisco CallManager Administration" and
"Cisco CallManager User Options" interfaces contain multiple instances of these vulnerabilities. This
advisory will focus on a subset of those vulnerabilities that allow attack execution from an
unauthenticated perspective. Not all vulnerability instances will be included.

The "Cisco CallManager Administration" (http://CallManagerAddress/ccmadmin/) web interface contains 
parameters that have their user-supplied input returned in subsequent responses without being properly
encoded. Although this interface requires basic authentication before access to the vulnerable
parameters is granted, the original request will be sent to the server after successful
authentication. Thus, reflected script injection is possible if the attacker can lure a CallManager
administrator into entering their credentials upon being presented with the basic authentication box.
The URL below takes advantage of the vulnerable "pattern" parameter that returns user-supplied input
at several points within the subsequent responses.

http://CallManagerAddress/ccmadmin/phonelist.asp?findBy=description&match=begins&pattern=&submit1=Find&rows=20&wildcards=on&utilityList
A simple proof of concept script has been written that utilizes XMLHTTP to search for devices and
delete them from the CallManager configuration. Prior knowledge of the CallManager configuration would
allow for more savvy attacks that could intelligently reconfigure the phone system.

The "Cisco CallManager User Options" (http://CallManagerAddress/ccmuser/) web interface also contains 
vulnerable parameters. Most notably, arbitrary parameters included in requests to /ccmuser/logon.asp
are returned by the application without proper input validation or output encoding. The URL below
takes advantage of this behavior by appending the parameter "MadeUpParameter", escaping the form
included in the response, and rewriting all form actions to point to an attacker site that collects
all input. The application seems to remove the '+' character used to post-increment the loop counter
so URL hex encoding (%2B) was used to obfuscate it.





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH