3COM NBX V3000 Networked Telephony Solution Information Disclosure

2013.06.04
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

*Known Affected Versions: *R5_0_31 (Created March 1st, 2007) *Date Discovered: *November 13, 2012 Obviously not anything new to get sensitive data out via the VxWorks remote debugger, but this seemed to warrant specific attention since it did allow for the disclosure of call logs and full access to all voice mails stored on the system. Vendor has stopped responding. There was some data around this system and the phones themselves for extracting configuration data released a while back but I have not found anything specific around the PBX switch out there. *Synopsis: *The 3Com NBX V3000 phone system firmware was found to have the VxWorks remote debug service documented at http://www.kb.cert.org/vuls/id/362332 enabled. This allows for remotely extracting the contents of device memory over the network. When parsing the contents of memory, it was discovered that the call logs for the system as well as URLs which linked to WAV files containing voice mails that were accessible with no authentication were stored within the extracted content. *Reported to Vendor: *December 23rd, 2012 *Vendor Acknowledgement: *December 24th, 2012 *Last Vendor Response: *January 16th, 2013 (No Resolution) Vulnerability Reproduction: 1. Use the Metasploit VxWorks WDB Agent module (* auxiliary/admin/vxworks/wdbrpc_memory_dump)* to extract the contents of memory targeted at the IP of the PBX. 2. Extract the strings from the dump file generated by Metasploit and grep for HTTP links containing port 8889 to obtain voice mail URLs, also grep for names/numbers etc. for sensitive data.

References:

http://www.kb.cert.org/vuls/id/362332
http://seclists.org/fulldisclosure/2013/Jun/12


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top