Bugtraq mailing list archives
Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability
From: <m123303 () richmond ac uk>
Date: 22 Feb 2005 23:29:52 -0000
Hello there!
I suspect there is a vulnerability in Avaya IP Office Phone Manager, both light and professional edition. The
vulnerability is based on the fact that IP Office Phone Manager stores sensitive data such as username, password and
PBX IP address under a key within the Windows Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
"UserName"="Joe Smith"
"Password"=""
"PBXAddress"="10.154.1.60"
The previous example shows how and where the sensitive data is stored in the registry. I've had the opportunity to
check this in several hosts of my organization. In all these hosts the password always appears as blank password
("Password"=""). However, I do not know if this is due to the fact that those employees were simply using blank
passwords to access the PBX or because the IP Office Phone Manager actually saves the password somewhere else.
The previous information could be accessed by an attacker with local access or remote access (through the "Remote
Registry" service) to the Windows registry of a certain host. Administrative privileges would be required, at least if
the default configuration is used.
In case the attacker is successful at getting access to the previous Windows registry key, he/she would be able to
impersonate an employee simply by using the IP Office Phone Manager software and logging to the PBX with the same
username and password. This means that the attacker could do things such as check the victim's voicemails and make
phonecalls within the organization under the victim's name.
I have been researching in google and serveral vulnerability DBs to see if this problem was already known but I
couldn't find anything on it. This is why I decided to post this vulnerability here in the hope that it is indeed new
to the public.
I have been able to check that the usernames and IP addresses found in this registry key are actually real information,
meaning that the IP address actually matches the IP address of the PBX within the organization and that the username
matches the username used to access the PBX as well. So now I just need someone to help me to find out if the passwords
stored in this key are indeed real or simply a "obsfucation technique".
Regards,
pagvac (Adrian Pastor)
Current thread:
- Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability m123303 (Feb 22)