[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4CCF440B.1000600@security-assessment.com>
Date: Tue, 2 Nov 2010 11:49:47 +1300
From: Nick Freeman <nick.freeman@...urity-assessment.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Security-Assessment.com Advisory: BroadWorks Call
Detail Record Disclosure Vulnerability
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Name : BroadWorks Call Detail Record Disclosure Vulnerability
Vendor Website : http://broadsoft.com/products/broadworks/
Date Released : November 2, 2010
Affected Software: BroadWorks <= R16
Researcher : Nick Freeman (nick.freeman@...urity-assessment.com)
PDF:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.pdf
TXT:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.txt
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered an issue regarding privilege
separation between different enterprise groups within BroadWorks.
This issue allows a user with Attendant Console privileges to
view and record live call detail records for any user of the
system, including users from other organisations.
+------------+
|Exploitation|
+------------+
Eavesdropping of call detail records requires knowledge of the target
user’s BroadWorks username, e.g. 098765432@...viceprovider.com.
BroadWorks uses Client Application Protocol (CAP) XML messages to
communicate between client applications and the BroadWorks platform. One
of the messages, monitoringUsersRequest, is transmitted by the Attendant
Console to BroadWorks during the logon procedure. This command includes
a list of usernames that the Attendant Console can monitor for incoming
and outgoing calls. A malicious user can replay this message with
usernames from other enterprises, and once this operation has completed,
all incoming and outgoing calls for the target user(s) will be visible to
the Attendant.
A basic proxy is available at
http://www.security-assessment.com/files/advisories/bwe.py which can
intercept and modify the XML stream, allowing the injection of
monitoringUsersRequest packets.
+--------+
|Solution|
+--------+
A patch is available from Broadsoft for this vulnerability.
+------+
|Credit|
+------+
Discovered and advised to Broadworks June 2010 by Nick Freeman of
Security-Assessment.com.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world leader in web
application testing,
network security and penetration testing. Security-Assessment.com
services organisations
across New Zealand, Australia, Asia Pacific, the United States and the
United Kingdom.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists