lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4CCF440B.1000600@security-assessment.com>
Date: Tue, 2 Nov 2010 11:49:47 +1300
From: Nick Freeman <nick.freeman@...urity-assessment.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Security-Assessment.com Advisory: BroadWorks Call
 Detail Record Disclosure Vulnerability


   (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

                presents..


Name             : BroadWorks Call Detail Record Disclosure Vulnerability
Vendor Website   : http://broadsoft.com/products/broadworks/
Date Released    : November 2, 2010
Affected Software: BroadWorks <= R16
Researcher       : Nick Freeman (nick.freeman@...urity-assessment.com)


PDF:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.pdf
TXT:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.txt


+-----------+
|Description|
+-----------+

Security-Assessment.com discovered an issue regarding privilege
separation between different enterprise groups within BroadWorks.
This issue allows a user with Attendant Console privileges to
view and record live call detail records for any user of the
system, including users from other organisations.


+------------+
|Exploitation|
+------------+


Eavesdropping of call detail records requires knowledge of the target
user’s BroadWorks username, e.g. 098765432@...viceprovider.com.
BroadWorks uses Client Application Protocol (CAP) XML messages to
communicate between client applications and the BroadWorks platform. One
of the messages, monitoringUsersRequest, is transmitted by the Attendant
Console to BroadWorks during the logon procedure. This command includes
a list of usernames that the Attendant Console can monitor for incoming
and outgoing calls. A malicious user can replay this message with
usernames from other enterprises, and once this operation has completed,
all incoming and outgoing calls for the target user(s) will be visible to
the Attendant.


A basic proxy is available at
http://www.security-assessment.com/files/advisories/bwe.py which can
intercept and modify the XML stream, allowing the injection of
monitoringUsersRequest packets.


+--------+
|Solution|
+--------+

A patch is available from Broadsoft for this vulnerability.


+------+
|Credit|
+------+

Discovered and advised to Broadworks June 2010 by Nick Freeman of
Security-Assessment.com.


+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world leader in web
application testing,
network security and penetration testing. Security-Assessment.com
services organisations
across New Zealand, Australia, Asia Pacific, the United States and the
United Kingdom.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ