<<< Date Index >>>     <<< Thread Index >>>

Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability




Hello there!

I suspect there is a vulnerability in Avaya IP Office Phone Manager, both light 
and professional edition. The vulnerability is based on the fact that IP Office 
Phone Manager stores sensitive data such as username, password and PBX IP 
address under a key within the Windows Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Avaya\IP400\Generic]
"UserName"="Joe Smith"
"Password"=""
"PBXAddress"="10.154.1.60"

The previous example shows how and where the sensitive data is stored in the 
registry. I've had the opportunity to check this in several hosts of my 
organization. In all these hosts the password always appears as blank password 
("Password"=""). However, I do not know if this is due to the fact that those 
employees were simply using blank passwords to access the PBX or because the IP 
Office Phone Manager actually saves the password somewhere else.

The previous information could be accessed by an attacker with local access or 
remote access (through the "Remote Registry" service) to the Windows registry  
of a certain host. Administrative privileges would be required, at least if the 
default configuration is used.

In case the attacker is successful at getting access to the previous Windows 
registry key, he/she would be able to impersonate an employee simply by using 
the IP Office Phone Manager software and logging to the PBX with the same 
username and password. This means that the attacker could do things such as 
check the victim's voicemails and make phonecalls within the organization under 
the victim's name.

I have been researching in google and serveral vulnerability DBs to see if this 
problem was already known but I couldn't find anything on it. This is why I 
decided to post this vulnerability here in the hope that it is indeed new to 
the public. 

I have been able to check that the usernames and IP addresses found in this 
registry key are actually real information, meaning that the IP address 
actually matches the IP address of the PBX within the organization and that the 
username matches the username used to access the PBX as well. So now I just 
need someone to help me to find out if the passwords stored in this key are 
indeed real or simply a "obsfucation technique".

Regards,
pagvac (Adrian Pastor)