Release Date: 07/19/2006
Affected Application: Cisco CallManager 3.1 and up (versions prior to 3.1 were not tested but may
still be vulnerable)
Severity If Exploited: High
Impact: Arbitrary configuration of phone system/Theft of individual phone users' credentials
Mitigating Factors: Requires user action (following a link, visiting a resource with an embedded
Initial Notification of Vendor: 10/24/2005
Discovery: Jake Reynolds, Senior Security Engineer -- FishNet Security
Contributions: Arian Evans, Senior Security Engineer - FishNet Security
Permanent Advisory Location:
II. EXECUTIVE SUMMARY
The web interface used to administer Cisco CallManager software suffers from a lack of input
validation and output encoding. As a result, an attacker could craft a request that causes the
payload executed in the browser of the victim.
If such a request is provided to CallManager administrators (either in an email or embedded in an html
resource using something like an automatic redirect) an attacker can perform a variety of nefarious
actions. Depending on the scripted payload, these attacks are commonly referred to as cross-site
scripting (XSS), session riding, and cross-site request forgery (CSRF). Potential threats that can be
realized through these vulnerabilities could include but are not limited to:
* Deletion of phone system components such as devices, partitions, calling search spaces, etc
* Reconfiguration of phone system components such as route plans, global directory, services, etc
* Theft of global directory user credentials
* Theft of "Cisco CallManager User Options" credentials or session token leading to user identity
spoofing within that specific interface of CallManager (Utilization of the stolen credentials or
session tokens would require direct connectivity to CallManager.)
III. TECHNICAL DETAIL
The web interfaces used to administer Cisco CallManager exhibit input validation/output encoding
vulnerabilities throughout the applications. Specifically, the "Cisco CallManager Administration" and
"Cisco CallManager User Options" interfaces contain multiple instances of these vulnerabilities. This
advisory will focus on a subset of those vulnerabilities that allow attack execution from an
unauthenticated perspective. Not all vulnerability instances will be included.
The "Cisco CallManager Administration" (http://CallManagerAddress/ccmadmin/) web interface contains
parameters that have their user-supplied input returned in subsequent responses without being properly
encoded. Although this interface requires basic authentication before access to the vulnerable
parameters is granted, the original request will be sent to the server after successful
authentication. Thus, reflected script injection is possible if the attacker can lure a CallManager
administrator into entering their credentials upon being presented with the basic authentication box.
The URL below takes advantage of the vulnerable "pattern" parameter that returns user-supplied input
at several points within the subsequent responses.
A simple proof of concept script has been written that utilizes XMLHTTP to search for devices and
delete them from the CallManager configuration. Prior knowledge of the CallManager configuration would
allow for more savvy attacks that could intelligently reconfigure the phone system.
The "Cisco CallManager User Options" (http://CallManagerAddress/ccmuser/) web interface also contains
vulnerable parameters. Most notably, arbitrary parameters included in requests to /ccmuser/logon.asp
are returned by the application without proper input validation or output encoding. The URL below
takes advantage of this behavior by appending the parameter "MadeUpParameter", escaping the form
included in the response, and rewriting all form actions to point to an attacker site that collects
all input. The application seems to remove the '+' character used to post-increment the loop counter
so URL hex encoding (%2B) was used to obfuscate it.