lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+ms+uJPNQs7nn3DRJaKLv=sSpPSHuEP2=7RyvTyK-tzjcezWg@mail.gmail.com>
Date: Mon, 3 Jun 2013 10:59:17 -0500
From: Russell Butturini <tcstool@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: 3COM NBX V3000 Networked Telephony Solution
	Information Disclosure

*Known Affected Versions: *R5_0_31 (Created March 1st, 2007)
*Date Discovered: *November 13, 2012

Obviously not anything new to get sensitive data out via the VxWorks remote
debugger, but this seemed to warrant specific attention since it did allow
for the disclosure of call logs and full access to all voice mails stored
on the system.  Vendor has stopped responding.  There was some data around
this system and the phones themselves for extracting configuration data
released a while back but I have not found anything specific around the PBX
switch out there.

*Synopsis: *The 3Com NBX V3000 phone system firmware was found to have the
VxWorks remote debug service documented at
http://www.kb.cert.org/vuls/id/362332 enabled.  This allows for remotely
extracting the contents of device memory over the network.  When parsing
the contents of memory, it was discovered that the call logs for the system
as well as URLs which linked to WAV files containing voice mails that were
accessible with no authentication were stored within the extracted
content.

*Reported to Vendor: *December 23rd, 2012
*Vendor Acknowledgement: *December 24th, 2012
*Last Vendor Response: *January 16th, 2013 (No Resolution)

Vulnerability Reproduction:

1.  Use the Metasploit VxWorks WDB Agent module (*
auxiliary/admin/vxworks/wdbrpc_memory_dump)* to extract the contents of
memory targeted at the IP of the PBX.

2.  Extract the strings from the dump file generated by Metasploit and grep
for HTTP links containing port 8889 to obtain voice mail URLs, also grep
for names/numbers etc. for sensitive data.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ